Right to privacy: Are you protected when using your work phone?
Legal experts weigh in on use of data-extraction tools by federal departments
Employees in both the private and public sectors in Canada have rights regarding the protection of their personal information, even when they use devices that belong to their employer, say legal experts consulted by Radio-Canada.
In November, a Radio-Canada report revealed that at least 13 federal departments and agencies use tools or software that can recover even encrypted and password-protected data found on computers, tablets and mobile phones.
These can include text messages, emails, photos and travel history. Certain software can also access a user's cloud-based data and reveal their internet search history, deleted content and social media activity.
A parliamentary committee will be looking into the federal department's use of these instruments starting Thursday.
The right to privacy
Many departments say they utilize these tools and software for investigations into alleged violations of various laws, and only after obtaining a search warrant.
But others say they also use them without a warrant on government-issued devices — when employees are suspected of wrongdoing such as harassment or false overtime claims, for example.
One needs to ensure that the collection of this data is absolutely necessary.- Pierre-Luc Déziel, Laval University
"An employee will maintain a reasonable expectation of privacy with regard to their data, even when they use a device that is provided and administered by their employer, who remains the owner of this shell, if you will," Pierre-Luc Déziel, a professor of law at Laval University who specializes in privacy protection, told Radio-Canada in French.
When it comes to privacy, Canadian law distinguishes between the device and the personal information it holds, Déziel explained.
"Just because an employee does not own the device — the tablet, the phone, the computer, whatever — does not mean that their privacy rights with respect to the data that is contained in this device are completely extinguished."
Éloïse Gratton, a partner at Borden Ladner Gervais who leads the law firm's privacy and data protection practice, offered a similar observation.
"Whether in the public sector or the private sector, the employer does not have free play. The employee has certain privacy rights, even in the workplace or in a work context," Gratton said in French.
However, that protection may be diminished depending on the nature of the work, she said.
"If the employee works in an industry, whether in the public or private sector, where there are a lot of national security issues, for example, it would be more acceptable to carry out some surveillance or use data-extracting tools to ensure public safety."
Internal investigations
Shared Services Canada (SSC) is among the federal institutions that uses data-extraction instruments for internal investigations. The agency provided additional information to Radio-Canada after the initial article was published in November.
"Examples of such investigations include when there is suspected inappropriate website browsing, a malicious software installed on a device, or a suspected false claim of overtime," the agency said.
"Digital forensics tools are exclusively used on government-issued devices and in very specific and limited circumstances."
The department said it has used these tools six times over the last two years.
Fisheries and Oceans Canada also said it uses the tools for internal investigations "involving government policy violations, such as fraud or workplace harassment."
In those cases "no judicial authorization is required, because the data belongs to the department," it said.
The tools are also used to maintain computer network integrity, according to various federal departments.
Gratton and Déziel both say an employee's expectation to privacy is augmented if their employer allows them to use their work phone or computer for personal purposes.
Personal use of government of Canada devices and networks is allowed if conducted on personal time and if it's not done for financial gain, does not incur additional costs for the department and does not interfere with its conduct of business.
Making personal travel arrangements, buying products online, paying bills, banking, contributing to discussion groups and updating a personal blog are some of the examples listed as acceptable personal use by the federal government's "directive on service and digital."
The directive also states that employees who choose to store their personal information on a government network or its equipment do so at their own risk.
4 questions for employers
The use of potentially intrusive technology on employees' phones or computers may be permitted in certain circumstances, according to the two legal experts.
But they add that an employer should ask themselves four essential questions before they allow such use, to ensure that it complies with Canadian law:
- Is there a specific and legitimate problem to resolve? (In the absence of a specific and legitimate problem, privacy violations are difficult to justify.)
- Is the chosen tool effective in solving the problem?
- Is the invasion of the employee's privacy proportional to the objective being pursued?
- Are there less intrusive ways to achieve the same ends?
"Retrieving almost all of the data or history of a device is a very significant form of invasion of privacy," Déziel said. "So the objective must also be very important. One needs to ensure that the collection of this data is absolutely necessary."
It's not known what data the federal institutions retrieved from the targeted devices.
No impact assessments performed
A federal directive requires that all departments carry out a privacy impact assessment prior to any new activity that involves the collection or handling of personal information.
- BQ calls for study into use of tools capable of extracting data from phones
- Parliamentary committee to study federal departments' use of tools to extract personal data
According to their written responses to Radio-Canada, no department did so before using data-extracting tools, but they say they acted in accordance with a series of legal requirements.
"The President of Shared Service Canada (SSC) is authorized under the Financial Administration Act to conduct these investigations at the request of SSC's Chief Security Officer," the agency wrote.
"These investigations comply with the Policy on Government Security and are conducted in a secure, isolated SSC forensic lab."
SSC said the lab is not internet-accessible and the data is only transmitted to its chief security officer.
Fisheries and Oceans Canada also said its internal investigations "are based on policies and procedures delegated by the Chief Security Officer." Personal information is kept in "isolated laboratories" and in compliance with the Privacy Act, the department said.
Gratton said it's good practice to have security measures in place to protect the seized personal information, but she insists on the need for an employer to check at the outset whether the means used to obtain such data is justified.