Anda di halaman 1dari 4

sa

an
w
ic
m
sa
s.
hn
ic
sa
an
co
hn
e
an
w
ic
m
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
sa
ne
an
m
o
an
w
ic
m
sa
s.
hn
ic
sa
an
co
hn
e
an
w
ic
m
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
sa
ne
an
m
o
an
w
ic
m
sa
s
hn
ic
.c
sa
an
hn
e
om
an
w
ic
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
ne
an
m
om
w
ic
sa
s.
hn
an
co
e
w
ic
m
s.
hn
c
e

OrnuE (H filE
INFORMATION &
PRIVACY COMMISSIONER
for British Columbia

Protecting privacy. Promoting transparency.

April 92015

Andrew Laidlaw
A/Chief Administrative Officer
District of Saanich
770 Vernon Ave
Victoria, BC V8X 2W7
Dear Andrew Laid law:
Re:

Investigation Report F15-O1OIPC File No. Fl 5-60273

Thank you for your letter of April 2, 2015, regarding Investigation Report F15-O7: Use of
Employee Monitoring Software by the District of Saanich.
I appreciate being advised that the District has adopted two of the recommendations
and that the remaining three will be forwarded to Council with a positive
recommendation for their adoption.

co

One of the most disappointing findings in my investigation of the District of


Saanichs use of employee monitoring software is the near-complete lack of
awareness and understanding of the privacy provisions of B.C. s Freedom of
Information and Protection of Privacy Act (FIPPA).

You indicate that the accuracy of that conclusion is limited to the interviews conducted
and by the scope of the documents reviewed in the course of my investigation. In
addition, you suggest that you would have been pleased to provide my office with
information about the elements of your privacy management program and the content of
your staff training.

ic
h

ne

I would like to convey some of the main elements of my investigators experience in


dealing with District staff in order to further help you understand the basis for the
accuracy of my statements.

sa

an

an
sa

sa

an

ic

hn

ew

ic

s.

hn

ew
s.

co
m

In your letter you also raise concerns about statements and findings made in the
Investigation Report and media release, and ask that I provide some comment on your
perspective. Primarily, you cite the following excerpt as being of limited accuracy:

Mail PC Box 9038, Stn Prov. Govt, Victoria BC V8W 9A4 Location 4th floor, 947 Fort Street, Victoria BC
Tel. 250-387-5629 Fax 250-387-1696 I Toll free through Enquiry BC 800-663-7867 or 604-660-2421 (Vancouver)
Twitter @BClnfoPrivacy I www.oipc.bc.ca

sa
an
w
ic
m
sa
s.
hn
ic
sa
an
co
hn
e
an
w
ic
m
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
sa
ne
an
m
o
an
w
ic
m
sa
s.
hn
ic
sa
an
co
hn
e
an
w
ic
m
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
sa
ne
an
m
o
an
w
ic
m
sa
s
hn
ic
.c
sa
an
hn
e
om
an
w
ic
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
ne
an
m
om
w
ic
sa
s.
hn
an
co
e
w
ic
m
s.
hn
c
e

Page 2 of 4
By way of background, my staff requested that the district provide my office with all
documents that were relevant to the investigation; those requests were made multiple
times, both in writing and in person. If there was any District policy, privacy
management program, privacy manuals, privacy impact assessment, or other document
that was relevant to our investigation, I question why that material was not forthcoming
during the course of the investigation.
District Submissions

When my staff first requested that the District provide its position on how its collection,
use, or disclosure of personal information by Spector 360 was authorised by FIPPA, we
were provided with the following single sentence: [tJhe purpose of Spector 360 was to
protect and secure the computers of high profile users.

That answer did not mention FIPPA, provide any explanation for how the legislation
authorized Spector 360, or even refer to the collection of personal information. My staff
proceeded to explain to senior District staff how FIPPA functioned; specifically
explaining that in order to collect, use, or disclose personal information, the District must
be able to point to a section of FIPPA that authorizes it to do so.
We received the Districts revised submissions by email from Laura Ciarniello on
February 10, 2015. The content of those submissions displayed what can again be
fairly described as a near-complete lack of understanding of FIPPA and its application
to the District.

co
m

If the District does have a more sophisticated understanding of FIPPA in relation to its
programs and activities than is described in the Investigation Report, then that
understanding should have been reflected in those submissions. However, it is not
credible that a public body with an understanding of privacy law or of FIPPA could have
drafted submissions that fundamentally misapplied the relevant sections of that Act.

As discussed in the Investigation Report, FIPPA requires that public bodies provide
individuals with notice of the collection of their personal information. This is not just a
FIPPA requirement; it is a reflection of the widely accepted basic privacy principle that
individuals should be provided with clear and easily accessible statements about the
collection, use, or disclosure of their personal information.

ic
h

ne

The District provided my office with its Network Access Terms and Conditions Form
which Laura Ciarniello stated provided adequate notification to employees of the
collection of their personal information by the District. However, this form did not
mention FIPPA or the collection of personal information, and did not include any of the
elements expressly required by law. It is notable that this form was not created
specifically for the implementation of Spector 360, but was intended to serve as, among

sa

an

an
sa

sa

an

ic

hn

ew

ic

s.

hn

co

ew

s.

Notice to employees

sa
an
w
ic
m
sa
s.
hn
ic
sa
an
co
hn
e
an
w
ic
m
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
sa
ne
an
m
o
an
w
ic
m
sa
s.
hn
ic
sa
an
co
hn
e
an
w
ic
m
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
sa
ne
an
m
o
an
w
ic
m
sa
s
hn
ic
.c
sa
an
hn
e
om
an
w
ic
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
ne
an
m
om
w
ic
sa
s.
hn
an
co
e
w
ic
m
s.
hn
c
e

Page 3 of 4
other things, notice for any collection of personal information by the District in relation to
its communication and IT resources.
If the District had adequately implemented the privacy management program described
in your letter, it would have been reflected in the Districts compliance with the notice
requirements of FIPPA. It is not sufficient for the District to have in place a privacy
management program if that program is not known of or understood by District
management and employees.
Director of Legislative Services

In your letter you ask why my staff declined an interview with your Director of
Legislative Services, Carrie MacPhee. By letter on January 26, 2015, my office asked
Laura Ciarniello to provide the list of individuals that she had arranged for our office to
interview on February 3, 2015. In response by telephone she provided the following list
of names:

Forrest Kvemshagen, Manager of Information Technology;


John Proc, Assistant Manager of Information Technology;
Andy Laid law, Chief Administrative Officer; and
Laura Ciarniello, Director of Corporate Services

Upon reviewing the list of interviewees, my staff requested that Ms. Ciarniello also
arrange for them to interview the IT technician who installed Spector 360, a
representative of the Human Resources department, and an employee who was an
example of a computer user who had Spector 360 installed on his or her computer.

co

ic
h

ne

I hope you can appreciate that as the Director of Legislative Services name was never
put forward as the person responsible for FIPPA, but rather as a person who had
Spector 360 installed on her computer, it is inaccurate to state that my staff declined to
interview the individual responsible for privacy within the District. Rather, it would be
more accurate to state that my staff declined to interview the person selected by
Ms. Ciarniello to act as an example of a computer user who had Spector 360 installed
on her computer.

sa

an

an
sa

sa

an

ic

hn

ew

ic

s.

hn

ew
s.

co
m

The Director of Legislative Services name was subsequently put forward as the
example of a computer user. After the other interviews on February 3, 2015,
Ms. Ciarniello asked if my staff wanted to speak to the Director of Legislative Services.
After confirming with Ms. Ciarniello that the Director was being made available as an
example of a computer user, my staff indicated that they no longer needed to interview
a user because they had the information they needed regarding whether users were
notified about the installation of Spector 360.

sa
an
w
ic
m
sa
s.
hn
ic
sa
an
co
hn
e
an
w
ic
m
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
sa
ne
an
m
o
an
w
ic
m
sa
s.
hn
ic
sa
an
co
hn
e
an
w
ic
m
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
sa
ne
an
m
o
an
w
ic
m
sa
s
hn
ic
.c
sa
an
hn
e
om
an
w
ic
ew
s.
hn
i
c
s
co
s.
hn
aa
ew
co
m
ew
ni
s.
m
ch
sa
co
s
.c
ne
an
m
om
w
ic
sa
s.
hn
an
co
e
w
ic
m
s.
hn
c
e

Page 4 of 4
Almost without exception in an investigation such as this, the person responsible for
privacy takes a lead role in liaising with our office, and in explaining how the activities
under investigation are authorized by FIPPA. However, at no point during our
investigation was the Director of Legislative Services or any other District manager or
officer identified as the person responsible for FIPPA compliance within the District.

We have, since the release of the Investigation Report, been contacted by the Director
of Legislative Services who stated that she is the Director responsible for privacy and
access to information. However, she was unable to explain to my staff why she was not
identified as such during the investigation or at any point play a role in liaising with my
office.

I would also note that the Director of Legislative Services was present at the
November 19, 2014 meeting where the implementation of employee monitoring
software was discussed, including specific discussion regarding onto which
workstations the software would be installed. However, in the documents provided to
my staff by the District we can find no mention of any concerns being raised regarding
the privacy implications of this course of action, or of the need for the District to consider
its obligations under FIPPA before proceeding.
The only District employee who questioned the privacy invasiveness of the use of
Spector 360 was the IT Technician who was tasked with its installation. As described in
the Investigation Report, that person voiced his concern but was specifically directed to
install the software with the most privacy intrusive functions enabled.

co
m

I therefore respectfully suggest that these circumstances describe a public body in


which management was not aware of its privacy obligations under FIPPA and that my
public comments in this regard are validly founded. Thank you again for your letter.

Elizabeth Denham
Information and Privacy Commissioner
for British Columbia

ic

hn

ew

ic

s.

hn

co

ew

s.

Sincerely,

ic
h

ne

Mayor and Councillors, District of Saanich.

sa

an

an
sa

sa

an

pc.