B.C.’s privacy commissioner to investigate Saanich spyware concerns

Information and Privacy Commissioner Elizabeth Denham acts on her own concerns in case concerning Mayor Richard Atwell

Saanich Mayor Richard Atwell revealed to media Jan. 12 his concerns about the installation of employee monitoring software on his and other computers at Saanich municipal hall.

Saanich Mayor Richard Atwell revealed to media Jan. 12 his concerns about the installation of employee monitoring software on his and other computers at Saanich municipal hall.

B.C.’s Information and Privacy Commissioner is initiating an investigation into the District of Saanich’s use of monitoring software to track employee activity on its computer systems.

Elizabeth Denham confirmed her investigation in a press release on Tuesday.

“My office has been closely following recent events in the District of Saanich, where allegations have been made that spyware is being used on district-owned computers to monitor employees with or without their consent,” Denham said.

“In light of many outstanding questions and concerns, I have decided to act on my own motion and initiate an investigation into whether the District’s use of employee monitoring software complies with the Freedom of Information and Protection of Privacy Act.”

In the course of an investigation, Denham has the power to compel disclosure of documents, interview government or company officials, make legal findings and issue compliance orders or recommendations for change.

“We need the facts concerning implementation of the software, including what methods of data capture have been enabled and the extent to which personal information is being collected from employees,” Denham said.

The investigation is expected to be complete before the end of March, and Denham’s findings will be made public.

Mayor Richard Atwell made public his concerns over spyware installation on several municipal hall computers on Jan. 12.

Last week, Saanich’s director of corporate services, Laura Ciarniello, released a statement on behalf of staff who handle software at the District of Saanich’s municipal hall and confirmed technicians had installed a program called Spector 360 on several computers, including one used by the Mayor. Ciarniello was responding to Atwell’s suggestion that data from his and other municipal computers was being collected on a centralized server known as “Langley.”

While the statement did not go into details over what data or activity is monitored, Ciarniello did say the Mayor received a form which notified him of the software.

“The Mayor was given this form at the time his computer was installed on Dec. 2. Although no signed form has been returned by the Mayor, computer access was granted to facilitate his role in the organization,” Ciarniello said.

Atwell said he did not receive any documents notifying him of the software.

The only way to review data captured by Spector 360 is by following a secure administrative process triggered in response to an incident, Ciarniello said. Any review would have to be authorized by either the Chief Administrative Officer or Director of Corporate Services. That process had not been activated at the time of the statement, she said.

In an open letter released last week, Denham suggested it is highly unlikely that a municipality can justify the use of covert monitoring software.

“There are two types of system monitoring of employees: overt and covert. Overt monitoring is done with the knowledge of the employee,” Denham said.

Covert monitoring is done without an employee’s knowledge and could include tracking of Internet use, logging keystrokes or taking screen captures at set intervals, she said.

“The threshold for covert monitoring is very high,” Denham said. “That being said, there have been no cases brought before this Office where covert monitoring was found to be justified under privacy law.”

It is not yet known to what extent the employee monitoring software is used at municipal hall.

On Jan. 14, Saanich councillors dismissed the suggestion of criminal behaviour around the software installation in a unified statement. They said monitoring software was installed on several municipal computers following a third-party audit of the District of Saanich computer system in May 2014.

The review recommended the installation of security software to protect the the municipal database from external threats and to monitor internal activity that may result from external threats, but it’s not yet known why the audit was requested.

Repeated requests to Saanich’s corporate services department to obtain a copy of the third-party audit went unanswered.

In reaction to the privacy commissioner’s investigation, Coun. Fred Haynes said Tuesday that Denham’s investigation should provide welcome clarity surrounding privacy concerns about the employee monitoring software.

“It’s going to address people’s concerns one way or another. It’s a positive, healthy step forward,” Haynes said.

Last week, Saanich police Chief Bob Downie concluded his own criminal investigation into the the software installation and told council no criminal act had taken place. Atwell has now asked the B.C. Office of the Police Complaint Commissioner to investigate a potential conflict of interest in the matter.

Atwell has agreed to recuse himself from police board meetings when agenda items or discussion related to the OPCC investigation arises.

-with files from Travis Paterson