B.C.’s privacy watchdog is blasting staff at the District of Saanich for their “deep lack of understanding” about privacy rights in a report on the District’s use of employee monitoring software.
The Spector 360 program, which is capable of monitoring computer keystrokes, instant messaging applications and recording screenshots, was installed on the computer of Mayor Richard Atwell and at 12 other stations on Dec. 2, the day after Atwell and councillors assumed office. Atwell made his concerns about the software publicly known on Jan. 12, which prompted an investigation by the Office of the Information and Privacy Commissioner.
In her report, Elizabeth Denham said the District failed to properly notify employees about the installation and use of Spector 360. Denham also found “the District’s submissions to my office demonstrate a deep lack of understanding about the most basic tenets of the (Freedom of Information and Protection of Privacy) Act, such as what constitutes the collection of personal information.”
At a press conference held Monday on the grounds of the B.C. legislative buildings, Atwell said he is happy to be vindicated in his belief that the spyware was in violation of privacy laws.
“This is bigger than Saanich. It’s (about) personal privacy for employees, citizens and elected officials that goes beyond our borders,” Atwell said. “I’m very concerned how we got to this point where essentially, I was right, and seemingly everyone else was wrong. And it took Elizabeth Denham to come out with her own investigation to validate what I was saying in the first place.”
In an interview, Denham said she initiated the investigation into Saanich’s use of Spector 360 because she perceived a general lack of understanding around privacy rights in the workplace. She was also concerned the District would continue to use the spyware based on media reports at the time.
“This is not the 20th century anymore,” Denham said. “Here was a case where there appeared to be a very hurried decision to purchase off-the-shelf software to address some shortcomings in IT security with no consideration that they were even collecting personal information.”
Denham also criticized a Jan. 13 District press release that stated its employees had no reasonable expectation of privacy while using workplace computers.
“Employees don’t check their privacy rights at the office door,” Denham said. “There are shades of grey … and tools that are reasonable in the office place, but keystroke logging and screen scraping and comprehensive monitoring in real-time of what employees are doing is seldom acceptable.”
Also on Jan. 13, Coun. Judy Brownoff told reporters: “I want to assure the public that our security measures protect Saanich’s database and everything on the system. Our staff are in charge to ensure it’s secure.”
Denham’s report makes clear that line of reasoning – that the software was installed to better protect the District’s IT resources – was faulty.
“Spector 360’s utility … can only provide District IT staff with the ability to review those actions after a security breach has already taken place,” Denham said.
The spyware actually made Saanich’s IT security less secure “by concentrating the personal information of key employees and officers in one location, creating a ‘honeypot’ for external attackers,” Denham added.
Staff also previously asserted that the installation of Spector 360 “was in response to the conclusions of a May 2014 independent, external audit of the District of Saanich computer system.”
But Denham reviewed the IT audit report and said it does not make any specific recommendation about the purchase and installation of employee-monitoring software.
“The audit’s author, also interviewed by my Office, confirmed that he did not make any such recommendation nor did he intend to make any recommendation that could be interpreted to recommend the installation of monitoring software such as Spector 360,” Denham said.
The Office of the Information and Privacy Commissioner is making five recommendations in its report including disabling Spector 360 (acting CAO Andy Laidlaw confirmed the District took this step voluntarily in January); destroying all personal information collected by Spector 360; an update to District privacy policies; and the creation of administrator logs to track when anyone accesses IT systems that store personal information.
Denham is also recommending the District of Saanich implement a comprehensive privacy management program, complete an audit of the District’s compliance with FIPPA and appoint a privacy officer.
Atwell said council will discuss the privacy commissioner’s report on April 13 and decide then how to proceed with Denham’s recommendations.
“We have to digest the report and find out what the implications of it are,” Atwell said. “My focus is going to be on the recommendations and how Saanich gets up to speed in our laws.”