Today, Michael Geist has a blog posting about workplace monitoring. He mentions the Canadian Internet Policy and Public Interest Clinic and applauds them for their involvement in the recent decision from the Alberta Information and Privacy Commissioner about keystroke logging. The posting is interesting, in and of itself, but the part that has the widest policy implications is the inconsistency of rules from coast to coast in Canada about workplace privacy. Some provinces have privacy laws that apply in the workplace, but most do not. The federal law, PIPEDA, only applies to federal works, undertakings and businesses leaving the rules dramatically inconsistent from province to province.

Michael Geist - Unequal Privacy Protection

"The Alberta Privacy Commissioner recently issued a noteworthy decision on the use of keystroke logging in the workplace that hits home for several reasons. First, the facts of the case: an employee at an Alberta library uncovered the fact that his supervisor had installed a keystroke logger program on his computer to monitor his activities. The supervisor claimed the move was made due to productivity concerns. The employee filed a complaint and last week Commissioner Frank Work ruled in favour of the employee. He found that the evidence did not support the supervisor’s claims and that there were far less intrusive methods to address any productivity concerns. Moreover, the employee had actually been given permission to engage in Internet banking during work hours, yet this too was monitored and logged.

As I mentioned, this case has particular resonance for me. On a substantive level, it points to the disturbing level of unequal privacy protection in the Canadian workplace. This specific case involved a public institution in Alberta, but provincial privacy laws there would have provided some measure of protection for all workers. The same is not true for all Canadian provinces. In Ontario, workers at federally regulated businesses benefit from PIPEDA protection and workers at public institutions from public privacy laws. Moreover, workers in unionized settings also typically enjoy some level of protection. If you fall outside of those protected workplaces, however, you may be out of luck. That is simply wrong: the privacy protections against invasive surveillance enjoyed by some Canadians in the workplace must surely be enjoyed by all.

The case also resonates on a personal level. First, I wrote about these issues several years ago in a study for the Canadian Judicial Council, which was then concerned about the legality of electronic surveillance of the judiciary. The issues raised then remain valid today.

Second, I am very proud that the Canadian Internet Policy and Public Interest Clinic (CIPPIC), the public interest technology clinic at our law school, played a role in the case by providing a legal memo to the employee to help him pursue the case.

I receive regular requests for assistance and advice. I try to provide at least a short answer when I can, though admittedly the volume of correspondence is making that increasingly difficult. In any event, last June this employee sent me an email looking for help. I'm grateful that Pippa Lawson and her CIPPIC team jumped at the chance to get involved. CIPPIC has garnered considerable attention due to its involvement in the file sharing litigation. I think it has done a remarkable job in that case, but we should not overlook the fact that the clinic is helping to fill the void on many other important issues. Congratulations all round."

Labels: alberta, information breaches, privacy, surveillance