I was invited to co-chair and present at the Canadian Institute's "Meeting Your Privacy Obligations" conference in Toronto. My presentation was specifically about managing privacy in the workplace, which is below if you're interested.

Here's a link if Google Docs aren't giving you due respect: Managing Privacy in Employee Relations

I have to say it was one of the best conferences of its kind that I've been to recently. The stellar speakers included Federal Privacy Commissioner Jennifer Stoddart, Alberta Information and Privacy Commissioner Frank Work and fellow bloggers Brian Bowman and Dan Michaluk. (Note: If you're reading my blog, you'll find theirs to be equally interesting and useful. So after you've read all my postings, head over there ...)

Labels: employment, facebook, media-mention, presentations, privacy, vanity, workplace

I'm not sure how I feel about this. Apparently, MasterCard is introducing a feature for corporate cards that allows employers to set very strict parameters on spending. Economy class? Ok. Business class. Nope. HoJo's? Ok. Strip clubs? Not so much. The card also has detailed reporting that allows employers to keep close tabs on spending.

If an employee is spending the employer's money, it makes sense that the employer can set parameters on it. Business Week's article (You've Been Pre-Rejected) on the topic suggests that it smacks of big brother, but a lot of thinking about privacy depends upon peoples' expectations. If people understand what information is being collected and how it will be used (and it is reasonable), it is less likely that whatever is at issue will be seen as an invasion of privacy. Employees who use a corporate card where they know that the bill goes to the employer first can't reasonably be surprised if their employer gets upset over use of the card that does not fit within company policy. If employees know that the employer can set strict controls on the use of the card, I don't see the problem. If employees similarly are informed that the employer can see the bill in detail, it shouldn't be a problem.

Where the problems arise (and I'm sure they will) is that employers will use this product without telling the employees. The surveillance will be covert, which is much more pernicious and DOES lead to the big brother syndrome. You don't know when you're being observed and thsi leads to mistrust and insecurity. And it can also backfire: if an employee does not feel trusted, many will not act trustworthily (if that's a word!).

The product is also being touted as a tool for parents to keep track on kids' spending. Again, if you're spending someone elses' money they probably have a right to control how it is spent. But similarly, they'll have to make sure that their kids' expectations are tempered by the knowledge that Big Father (or Big Mother) is watching.

At the same time, I think the new MasterCard feature can be a benefit for privacy. Your (personal) credit card number and your (personal) credit card account are your personal information and you have a right to know how it is being used. I'd pay extra for a card that sent me a text message to advise of each charge. I'd be immediately alerted to any fraudulent use of the card and would be in a much better position to protect my own personal information. Whether this will be demanded as a card feature remains to be seen. But it is an example of a technology that can be intrusive and a boon to privacy at the same time. It depends upon how it is used and whether the user knows all about its features.

Labels: employment, privacy, workplace

I was interviewed some time ago for a Globe & Mail article on workplace surveillance, which appeared yesterday. The piece discusses keystroke loggers, access cards and video surveillance. See: globeandmail.com: Smile, Big Brother's watching.

Labels: media-mention, privacy, surveillance, vanity, video surveillance, workplace

This is weird, and creepy:

Microsoft seeks patent for office 'spy' software - Times Online

Microsoft is developing Big Brother-style software capable of remotely monitoring a worker’s productivity, physical wellbeing and competence.

The Times has seen a patent application filed by the company for a computer system that links workers to their computers via wireless sensors that measure their metabolism. The system would allow managers to monitor employees’ performance by measuring their heart rate, body temperature, movement, facial expression and blood pressure. Unions said they fear that employees could be dismissed on the basis of a computer’s assessment of their physiological state....

Labels: privacy, surveillance, workplace

Released today from the Information and Privacy Commissioner of Alberta:

Employee Assistance Provider found in contravention of Personal Information Protection Act

The Office of the Information and Privacy Commissioner has found that Wilson Banwell Human Solutions Inc. (Wilson Banwell) contravened the Personal Information Protection Act (PIPA) by disclosing more personal information than was necessary to a complainant's employer. The investigation also determined Wilson Banwell contravened PIPA by disclosing the complainant's personal information to a union for purposes that were not reasonable, and to an extent that was not reasonable.

After failing to pass a drug and alcohol test, the complainant was referred to Wilson Banwell, an Employee Assistance Provider (EAP), for a "return to work assessment." He signed a consent authorizing release of "assessment / treatment summaries" to his employer to facilitate his return to work. The complainant believed Wilson Banwell would limit its report to recommendations arising from the assessment. However, the Wilson Banwell psychologist sent a three-page report to both the complainant's employer and union. The report provided a summary of the clinical interview the psychologist conducted with the complainant, including details of a previous visit the complainant had made to Wilson Banwell on his own initiative, and some personal information of the complainant's wife.

The Investigator recommended Wilson Banwell:

• revise its "Release of Information" form to clarify exactly what information will be disclosed to a client's employer for return to work purposes, and
• remind all staff of Wilson Banwell's policies respecting written consent, and the requirement to disclose only the least amount of information necessary for reasonable purposes.

Wilson Banwell agreed to implement these recommendations.

For more information about investigation report P2007-IR-001, please visit our website at: http://www.oipc.ab.ca/

I expect the result would have been the same if the complaint was brought under PIPEDA, except the parties wouldn't have been named.

Labels: alberta, pipa, privacy, workplace

If you have any connection to a unionized workplace or advise any party in such an environment, run -- do not walk -- to Michael Fitzgibbon's latest post: Thoughts from a Management Lawyer: A Breath of Fresh Air - Surveillance Evidence.

Labels: privacy, surveillance, video surveillance, workplace

Once again, Australia is in the privacy news. This time, it is the Australian Tax Office, which has recently disciplined two dozen employees over inappropriate perusal of tax records.

Australian IT - Tax office sacks 'spies' (Ben Woodhead, AUGUST 29, 2006):

A SECOND government agency has been forced to sack staff for spying on client records, with the Australian Taxation Office taking action against 27 workers for breaches of privacy.

The tax office took action against 24 employees over inappropriate access to taxpayer files last financial year, with another three cases detected this year.

ATO first assistant commissioner for people and place, Anne Ellison, said 12 of the staff caught spying last year resigned on the spot. Four were sacked, two were fined and six had their salaries reduced or were demoted.

Two were ultimately prosecuted for breaches of the Tax Administration Act, with one sentenced to community service and the other fined.

The revelations come a week after multi-millionaire former actor and producer John Cornell - who is facing allegations that he and Paul Hogan held $40 million in Swiss-administered trusts and offshore companies without declaring it to the ATO - accused the tax office of a campaign of media leaks....

Thanks to Open and Shut for the link: Open and Shut: This time it's the Tax Office named in privacy breach.

Labels: australia, privacy, public sector, workplace

Labels: privacy, public sector, workplace

According to the CBC, a researcher from Ryerson University will be releasing a study today on surveillance in the workplace. When I get a copy of the report, I'll post a link if I can. In the meantime, here's what the CBC has to say:

CBC News: Employers spying on Canadian workers, study suggests:

Last Updated Mon, 10 Jul 2006 09:32:45 EDT

CBC News

Canadian employers in a wide range of industries conduct surveillance of employees at work, suggests a report to be released on Monday.

Produced by Toronto's Ryerson University, the study called 'Under the Radar' asked Canadian businesses about surveillance of their employees.

Employers view closed-circuit television cameras, listen to recorded phone calls, monitor e-mails and scan magnetic information from security passes, said lead author Avner Levin.

Levin, a law professor at the university, said he isn't surprised at the methods, but was taken aback by employers' attitudes toward employee privacy.

'Nobody said this is a problem, or even something they have to deal with in a proactive way. It's just simply under the radar,' said Levin.

Human resources executives responsible for workplace privacy often have little knowledge of the potential intrusiveness of technologies at work in their own companies, he said.

They rarely know what information is being collected by colleagues running company computer systems, he said.

'The executives that are responsible for privacy in the workplace are not fully aware of the extent of ... the surveillance activity that is conducted,' he said.

Managers often work without guidelines about how to respond if surveillance reveals an employee behaving suspiciously, said Levin.

E-mails monitored: U.K., U.S. study

The Ryerson study follows a large workplace survey in the United States and Britain, which suggested 40 per cent of employers regularly read employees' e-mails.

University of Ottawa privacy expert Michael Geist says Canadian firms are likely close behind.

"I don’t have any doubt that we're going to find more and more companies doing it," he said. "To move directly to full-on monitoring of e-mail use is as invasive as it comes."

The founder of Ottawa e-mail security firm Roaring Penguin warns companies must carefully consider their policies on e-mail.

"If you just put the technology in place and add a whole bunch of rules without thinking about what you're trying to do, you're probably blocking a lot of mail that shouldn't be blocked, letting stuff out that should be blocked and most importantly, irritating employees," said David Skoll.

Spell out polices: privacy laws

Canada has two federal privacy laws: the Privacy Act and the Personal Information Protection and Electronic Documents Act (PIPEDA).

The Privacy Act limits the personal information federal government departments and agencies can collect from Canadians.

Employees in federally regulated industries and the private sector are protected by PIPEDA, which says employers must let employees know what personal information is being collected and for what purpose. Employees must be able to see that information.

"At a minimum, employers should tell their employees what personal information will be collected, used, and disclosed," says the website of Canada's Privacy Commissioner.

"They should inform employees of their policies on web, e-mail, and telephone use, for example. If employees are subject to random or continuous surveillance, they need to be told so."

I have to correct one statement that appears in the article: "Employees in federally regulated industries and the private sector are protected by PIPEDA". PIPEDA only applies to employees of federal works, undertakings and businesses. It does not (NOT!) apply to private sector employees nationally. Employees in the rest of the private sector only have statutory privacy protections if they are in Quebec, British Columbia and Alberta, since PIPEDA does not apply outside of federally regulated workplaces and those provinces have set up provincial privacy laws.

Labels: alberta, bc, privacy, public sector, surveillance, workplace

The Privacy Commissioner recently released her finding following a complaint brought by a bank employee about the bank directly withdrawing funds from the employee’s bank account. (Commissioner's Findings - PIPEDA Case Summary #327: Bank retrieves overpayment of wages from employee's account (February 2, 2006))

In this case, the Complainant had been receiving benefits under the bank’s disability policy. She had been receiving payments for several weeks when it was determined that she was not eligible for the benefits. The bank determined that it was necessary to stop the next payment but it was too late as the amounts had already been deposited in the employee’s account. The bank then placed a hold on the funds and subsequently withdrew them directly from the employee’s account.

The individual complained to the Office of the Privacy Commissioner and reference was made, either by the Complainant or by the bank, to Section 254.1(2)(d) of the Canada Labour Code which allows an employer to make deductions from wages for “overpayment of wages by the employer.” It was the bank’s argument that it was entitled to take the funds from the account based on this particular provision.

The Privacy Commissioner of Canada considered the complaint and the provisions of the Canada Labour Code, including that the bank might have been entitled to deduct such amounts from wages before they are paid it and the Personal Information Protection and Electronic Documents Act do not allow the bank to unilaterally retrieve a sum of money from her account. The Commissioner concluded “the bank had misused the Complainant’s personal information when it took advantage of its dual role as her employer and bank and retrieved money from her account, without her knowledge or consent, thereby breaching Principle 4.3”.

The Complaint was found to be “well founded and resolved” and the bank has committed to change its procedure for recovering funds due from the accounts of bank employees.

Labels: pipeda findings, privacy, public sector, workplace

The Privacy Law Site is reporting that an employee of Equifax had his laptop stolen in Europ last month. The computer contained names and social security numbers for all of the company's US-based employees. See: The Privacy Law Site: Equifax Laptop Stolen.

Why would an employee need to travel with that information? I dunno.

See also: Chron.com | Equifax: Laptop With Employee Data Stolen.

Labels: incident, laptop, privacy, public sector, workplace

Incident: Computerworld is reporting that an employee of the Oregon Department of Revenue downloaded trojan software along with porn videos, apparently compromising personal information about 2,300 Oregon taxpayers: Trojan horse captured data on 2,300 Oregon taxpayers from infected gov't PC.

Lesson: Practice safe surfing or you might get infected.

Labels: incident, information breaches, privacy, public sector, workplace