Sun. Feb 25th, 2024

Right to privacy: what happens when you use the work phone?

Open in full screen mode

At least thirteen federal agencies and departments use tools or software capable of extracting data from electronic devices such as phones and computers.

  • Brigitte Bureau (View profile)Brigitte Bureau

Speech synthesis, based on artificial intelligence, makes it possible to generate spoken text from written text.

Jurists raise important issues in matters of privacy, following revelations by Radio-Canada on the federal use of tools to recover data from electronic devices, particularly when civil servants are suspected of misconduct.

Employees in both the private and public sectors have privacy rights, even when using devices that belong to their employer, say experts consulted by Radio-Canada.

A Radio-Canada report revealed in November that at least thirteen federal agencies and departments use tools or software capable of extracting data – even encrypted and protected by passwords – which are found on smartphones, computers or tablets.

This may include emails, text messages, photos and travel history . Certain software can also access a user's computer cloud and trace their Internet searches, deleted content and activities on social networks.

As of February 1, 2024, a parliamentary committee will examine the use of these instruments at the federal level.

Several departments say they use these tools or software for investigations into alleged violations of various laws and only after obtaining a search warrant.

But others say they also use them without a warrant on government-issued devices, for example when officials are suspected of wrongdoing, such as harassment or false reporting of overtime.

An employee will maintain a reasonable expectation of privacy with regard to his data, even when he uses a device that is provided and processed by his employer who remains the owner of this shell, if you will, says Pierre-Luc Déziel, professor of law at Laval University and specialist in protection of the right to privacy.

Open in full screen mode

Pierre-Luc Déziel is a law professor at Laval University and a specialist in the protection of the right to privacy.

He explains that when it comes to privacy, Canadian law distinguishes between the device and the personal information that is stored. x27;there.

Just because an employee doesn't own the device, tablet, phone, computer, whatever, doesn't mean their privacy right to with regard to the data contained in this device is completely extinguished, says the professor.

Same observation from lawyer Éloïse Gratton , partner at BLG where she leads the national Privacy and Protection of Personal Information practice group.

Whether in the public or private sector, the employer does not have free play. The employee has certain rights in matter of privacy, even in the workplace or in a work context.

A quote from Éloïse Gratton, privacy lawyer

The lawyer specifies, however, that this protection may be reduced depending on the nature of the employment.

Open in full screen mode

Lawyer Éloïse Gratton is a partner at BLG where she leads the national Privacy and Protection of Personal Information practice group.

C&# x27;is certain that if the employee works in an industry, whether in the public or private sector, where there are a lot of national security issues for example, it would be more acceptable to do some surveillance or use data mining tools to ensure public safety, Gratton said.

Shared Services Canada is one of the federal institutions that uses data extraction tools for internal investigations. The agency provided additional information to Radio-Canada after the initial article appeared in November.

Examples of investigations include suspicion of inappropriate web browsing, installation of malware on a device or suspicion of false overtime reporting, the agency says.

< source srcset=",w_700/v1/ici-premiere/16x9/internet-cable-serveur-reseau.jpg" media="(min-width: 0px) and ( max-width: 1023px)">Open in full screen mode

Some federal institutions, such as Shared Services Canada, say they use data extraction tools during investigations when officials are suspected of misconduct or to maintain the integrity of computer networks.

It specifies that digital forensic investigation tools are used exclusively on government-issued devices and in very specific and limited circumstances.

Shared Services says it has used it six times over the past two years.

The Department of Fisheries and Oceans also says it uses it for internal investigations into violations of Government of Canada policies, such as fraud or harassment in the workplace.

No judicial authorization is required, because the data belongs to the ministry, says the ministry.

Open in full screen mode

Fisheries and Oceans is one of the departments that uses data extraction tools to conduct, among other things, internal investigations when civil servants are suspected of fraud or harassment in the workplace, for example.

These tools are also used to ensure the integrity of government computer networks, supporting various federal institutions.

Initially, Health Canada claimed to have never used the data extraction tool it purchased in 2016. However, the department has corrected the situation after it was pointed out to him that his name appeared in more recent contracts.

The tool was used by Health Canada in a limited capacity to assist in investigations between 2016 and 2021, the department acknowledged, while declining to say for what purposes.

For security and confidentiality reasons, we cannot discuss specific cases, says the ministry, which says it no longer uses it.

Lawyer Éloïse Gratton and law professor Pierre-Luc Déziel agree that expectations regarding the protection of employees' privacy are increased when the employer allows them to exercise their privacy. use their work phone or computer for personal purposes.

At the federal level, personal use of Government of Canada devices and networks is permitted during the employee's personal time, if this activity has no financial purpose, does not incur any additional costs for the ministry and does not harm the work of the institution.

Organizing a personal trip, carrying out banking transactions, shopping online, participating in discussion groups and blogging are among the examples of ;acceptable personal use cited in the Federal Directive on Services and Digital.

This directive also states that employees who decide to retain their personal information on government networks or devices do so at their own risk.

In certain circumstances , the use of potentially intrusive technologies in employees' phones or computers may be permitted, according to the two lawyers.

But they explain that an employer should ask itself four main questions before deploying them, to ensure it complies with the law Canadian.

A four-question test for employers:

    < li>Is there a specific and legitimate problem to resolve? (In the absence of a specific and legitimate problem, invasions of privacy are difficult to justify.)
  1. Is the chosen tool effective in resolving this problem?
  2. Is the invasion of the employee's privacy proportional to the importance of the objective?
  3. Are there less intrusive means of x27;achieve the same ends?

Retrieving almost all of the data or history of a device is a form of invasion of privacy which is very significant, says Mr. Déziel. So the objective must also be very important. We really need to ensure that this collection is absolutely necessary, he said.

The institutions have not specified which data they recover in the targeted devices.

A federal directive requires departments to conduct a privacy impact assessment before implementing any new activity that involves the collection or processing of personal information.

According to the written responses of the ministries to our questions, none of them carried out such an assessment before using data extraction tools. data.

But they say they act in compliance with a series of legal requirements.

Open in full screen mode

At least 13 federal government departments and agencies use data extraction tools to conduct different types of investigations.

The President of Shared Services Canada (SPC) is authorized under the Financial Administration Act to conduct these investigations following the request of the chief security officer of SSC, writes the agency.

Investigations comply with the Government Security Policy and are carried out in a secure and isolated forensic laboratory, she said. Shared Services adds that the laboratory is not accessible from the Internet and that data is only transmitted to the chief security officer.

The Department of Fisheries and Oceans also says its internal investigations are based on policies and procedures delegated by the head of security. He adds that personal information is kept in isolated laboratories and in compliance, among other things, with the Personal Information Protection Act.

The x27;Lawyer Gratton says that putting security measures in place to keep the personal information captured is a good practice. But it recalls the need for an employer to check, at the outset, whether the means used to obtain this information is justified.

  • Brigitte Bureau (View profile)Brigitte BureauFollow

By admin

Related Post