Daycare Centre Modified Webcam Monitoring to Increase Privacy Protection

PIPEDA Report of Findings #2011-008


The complainant enrolled his son at a private daycare centre and was told that parents could pay a fee for its webcam service to let them see their child’s classroom in real time. Parents viewed the webcam feed via the Internet after entering a unique password.

The daycare centre stated that it had instituted the webcam service for two reasons: first, so it could monitor the classroom environment for security purposes; and, second, to provide parents with assurances regarding the classroom environment.

The centre told the OPC that approximately 60 per cent of the parents of registered children had enrolled in the webcam service, although the percentage of parents who had enrolled their children fluctuated during our investigation.

The complainant subsequently learned that the webcam feed was being recorded. He notified the daycare centre that he objected to the recording and that he felt appropriate privacy safeguards were not in place.

Following notification of the investigation, the centre deleted its saved video files and modified its systems to permanently cease recording the video stream captured by its webcam. The centre also implemented a privacy policy requiring all parents to sign a form consenting to the webcam monitoring, regardless of whether a parent wished to enrol in the service.

The daycare centre acknowledged that a parent would be able to record and disseminate the webcam feed as viewed on a personal computer. Upon our Office’s recommendation, the centre required parents using the webcam service to sign a contract agreeing to not record the webcam feed and promising to keep the assigned password confidential.

The daycare centre implemented all of our Office’s recommendations and we concluded that the complaint was resolved.

Lessons Learned

  • Both technological and contractual safeguards may be required to ensure adequate protection when dealing with the personal information of children – particularly highly sensitive personal information such as live video-streaming over the internet of very young children.
  • Examples of important contractual safeguards in this context can include having parents agree not to record information relayed via webcam and to keep their individually assigned password confidential, and informing parents that the webcam system allows other parents to view images of not only their children, but also other parents’ children.
  • In this context, meaningful consent should include alerting parents of the technological and contractual limitations to ensuring the full protection of their children’s personal information.

Report of Findings

Complaint under the Personal Information Protection and Electronic Documents Act (the “Act”)

1. The complainant, alleges that a daycare (“the daycare”)

  1. collected his child’s personal information without consent; and
  2. failed to adequately safeguard his child’s personal information.

Summary of Investigation

2. The complainant’s child attended the daycare.

3. Upon enrolling, the daycare advised the complainant that, for a fee, parents could enrol in its webcam service, which enabled parents to view their child’s classroom in real time. There is no monitoring of the bathrooms and diapering areas.

4. Access to the webcam is provided via the Internet upon entering a password unique to each parent.

5. The daycare states that its reasons for instituting the webcam monitoring program are two-fold:

  1. to allow the daycare to monitor the class room environment for security purposes; and
  2. to provide parents with assurances regarding the class room environment.

6. The webcam monitoring program was instituted after consultation with some parents, aware that similar organizations had instituted the program and had indicated parent satisfaction with its usage and the resulting peace of mind that was garnered by the webcam monitoring program.

7. At the time our investigation commenced, we were advised that approximately 60% of the parents of registered children at the daycare enrolled in the webcam service. The level of participation has varied over the course of our investigation, dipping as low as 16%. The latest figures the Office collected indicate that approximately 25% of parents were currently registered as users of the webcam service. The younger the student, the greater the participation by the parents.

8. The organization advises that no alternative methods would provide parents with the same ability to observe the child within the daycare environment.

9. In March 2007, the complainant became aware for the first time that the daycare had also been recording and storing the information captured by its webcam.

10. The complainant notified the daycare that he objected to the fact that its webcam activity was being recorded, and that appropriate safeguards were not in place.

11. Following notification of the complainant’s concerns, the daycare deleted its saved video files, and modified its systems so that it no longer recorded the video stream captured by its webcam.

12. The daycare also implemented a privacy policy. As part of that privacy policy, all parents (including those presently enrolled) were required to sign a webcam consent form, regardless of whether a parent wished to enrol in the webcam service. As a result of this protocol, all of the parents of children presently at the daycare are aware of the webcam, and all parents, whether participating or not, have been required to sign the consent form.

13. During the course of our investigation, the webcam system was configured to prompt for a password every 15 minutes. The failure to re-enter the password prevents further monitoring of the webcam.

14. The daycare acknowledged that should a parent wish to record and disseminate information viewed on a personal computer from its webcam, the capability exists to do so. For instance, a parent could record the video viewed on the webcam and could then share it on YouTube.

15. Because there were no technological safeguards to prevent a parent from recording the video viewed on the webcam and sharing it, our Office requested that the daycare ensure that parents enrolled in the webcam service sign a contract agreeing not to record the information relayed by the webcam, and promising to keep the assigned password confidential. The daycare responded that it had recently implemented our suggestion. The current Web Cam Viewing Policy now states that “Parents enrolled in the webcam service sign a contract agreeing not to record the information relayed by the webcam, and promising to keep the assigned password confidential and that it will not be used by anyone other than the parents.”

16. The daycare states, however, that it is not aware of any mechanism by which it can determine on a timely basis whether the contract has been breached, and in particular, whether the live stream has been recorded in violation of the contract. It is also not aware of any technical solution which would prevent downloading and dissemination of a webcam feed. It has noted, however, that the program has been in place since August 2000 without incident or any apparent or actual breach of any protocol or misuse of any material.

Application

17. In making our determinations, we applied subsection 5(3) and Principles 4.3, 4.3.2, 4.7 and 4.7.1 of Schedule 1 of the Act.

18. Subsection 5(3) states that an organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

19. Principle 4.3 states that the knowledge and consent of the individual are required for the collection, use or disclosure of personal information, except where inappropriate.

20. Principle 4.3.2 requires “knowledge and consent”. Organizations shall make a reasonable effort to ensure that the individual is advised of the purposes for which the information will be used. To make the consent meaningful, the purposes must be stated in such a manner that the individual can reasonably understand how the information will be used and disclosed.

21. Principle 4.7 of Schedule 1 states that personal information shall be protected by security safeguards appropriate to the sensitivity of the information.

22. Principle 4.7.1 stipulates that that the security safeguards shall protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification.

Findings

August 5, 2011

23. In our Report of Investigation dated March 29, 2010, our Office was of the preliminary view that the daycare was not in compliance with Principles 4.7 and 4.3 and subsection 5(3).

24. As a result, the Report of Investigation recommended that the daycare cease its use of webcam monitoring program. It asked that we receive, within 30 days of the date of the report, the daycare’s response in writing, outlining how it intended to implement this recommendation. If the daycare had evidence that showed cause why implementing this recommendation was not possible, it was to provide this evidence and its plans to implement adequate alternative compliance measures to this Office within 30 days of the date of the covering letter. Upon receipt of the requested information, or at the end of the 30-day time period, we said that we would issue our findings.

25. However, following our initial Report of Investigation, we found it necessary to make additional recommendations to the daycare. What follows is the original text from the Preliminary Report of Findings:

Safeguards

26. Concerning the safeguards required by Principle 4.7, the daycare raised several points. Firstly, it asserted that the integrity of its webcam viewing service is based upon the contractual obligations of the parties. Secondly, the organization contends that it is unreasonable to adhere to a principle that has not—to the knowledge of any of the parties concerned—been breached as yet. Further, it states that the organization’s own privacy policies will acknowledge and “… safeguard the privacy issues of concern to the Commission.”

27. Clearly, security safeguards are not guarantees but they play an important preventative role in protecting privacy.

28. Principle 4.7 of the Act puts the onus on organizations to use security safeguarding methods that are appropriate to the sensitivity of the information. We consider the information obtained from real-time video surveillance of one’s child—and viewable from the Internet—to be highly sensitive personal information. As a result, strong security measures are required.

29. Pursuant to Principle 4.7.1, the daycare is required to protect personal information against loss or theft, as well as unauthorized access, disclosure, copying, use, or modification. The daycare is, therefore, obliged to take reasonable steps to ensure that parents do not use the video stream captured by the webcam for unrelated and unauthorized purposes (for example, recording and further disclosing information viewed on the Web).

30. In the course of our investigation, the daycare improved its organizational and technological security measures by ceasing to record the video stream, implementing a privacy policy and enhancing password protection features.

31. Our investigation has revealed that it is reasonable to expect that the daycare’s technological security measures be further enhanced. New recommendations in this regard are set out below in paragraph 34 (i - iii).

32. Our investigation has also confirmed that there are no additional technological measures that the daycare could reasonably adopt to protect the video stream against unauthorized copying, use or modification by the parents who have legitimate access to the video stream in question.

33. It is therefore incumbent on the daycare to implement additional contractual terms intended to prevent such inappropriate use because, as the daycare concedes, the security of its webcam viewing service depends in large measure on the strength of its contractual agreement with parents.

34. We are therefore recommending that the daycare enhance its technological and contractual safeguards by:

  1. implementing measures to ensure the list of authorized users and associated passwords is kept up-to-date as clients come and go, which might require the establishment of policies and procedures to deactivate outdated passwords;
  2. enabling the HTTPS feature for connections to the video service, which will ensure that encryption is used for all data that flows between the video service and the clients and provide positive identification of the video service;
  3. ensuring that service logs collected by the system are regularly reviewed for unusual activity (i.e. many failed login attempts, access by former clients);
  4. including in its Webcam Viewing Policy and consent form a provision that sets out clear and significant consequences for a breach of the contract, which might include revocation of a parent’s webcam viewing privileges and, in cases of serious or repeated breaches, cancellation of a child’s enrolment with the daycare; and
  5. including in its Webcam Viewing Policy and consent form a statement indicating that the integrity of the webcam viewing policy is ultimately dependent upon parental compliance with the terms of agreement because there is no technology that could be employed to enforce its terms. This will alert non-participating parents to risks that cannot be managed technologically and promote contractual compliance among participating parents.

Consent

35. With regard to consent, the daycare drew attention to the fact that all parents whose children are enrolled at the daycare must now agree to the monitoring of their children and sign a consent form for the monitoring (Webcam Viewing Policy). Parents who refuse to consent cannot enrol their children at the daycare. The respondent then remarked on the popularity of this type of monitoring in the daycare industry.

36. The daycare stated that since clear consent is provided by every participant in the program, the organization has fulfilled its obligations under the Act with respect to the collection, use and disclosure of the information in issue. The daycare believes that the consent provided by parents for the monitoring program is direct and express, and made with knowledge of the program, its use and purposes.

37. We have reviewed the consent form now provided to parents participating in the program (Webcam Viewing Policy). It clearly states in italics that parents must agree not to record the information relayed by the webcam and to keep their individually assigned password confidential. It also explicitly informs the parents that the webcam system allows other parents to view images of children who are not their own.

38. Parental consent will be better informed when the recommendations set out at subparagraphs 34(iv) and (v) of this Report are implemented, which will ensure parents are aware of the technological and contractual limitations to ensuring full protection of the personal information.

39. With respect to the issue of voluntariness of consent, we did not uncover any evidence that would suggest parents’ consent is not voluntary.

40. It would not appear that the use of webcam monitoring systems such as that utilized by the daycare is pervasive throughout the child care sector.

41. Our investigation established that several other licensed daycares, which do not use webcam monitoring, operate in the same geographic location as the daycare and the complainant’s home. Consultation with the Ministry of Children and Youth Services in Ontario revealed that of the 4,784 licensed child care programs operating in Ontario, only 61 offer live video streaming.

42. Because individuals would appear to have alternative child care options available that do not utilize live video streaming, there is no evidence that parental consent is not freely and voluntarily provided.

Reasonable Purposes

43. Subsection 5(3) of the Act states that an organization may collect personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

44. While consent cannot, in itself, transform an inappropriate purpose for the collection of personal information into an appropriate one, the fact that the daycare’s clients have consented to allowing the monitoring of their children based on the information they have read and understood in the daycare’s Webcam Viewing Policy is a factor that will inform this analysis.

45. These parents have now been provided with information to enable them to understand some of the risks and implications of the video surveillance in question and can be considered to have accepted as appropriate the daycare’s purposes for monitoring their children based on all of the available information.

46. Once the recommendations this Office is making to the daycare in paragraph 34 are implemented, parents will have more information about additional risks and implications of the video surveillance as a result of the daycare’s inability to technologically limit parents’ capacity to reproduce and further disseminate video stream images.

47. Given the steps the daycare has taken to ensure more meaningful and informed consent, the evidence this office has obtained since our initial report concerning the widespread availability of daycares that do not use webcam monitoring and the dearth of available evidence concerning any long term, negative effects of the trend toward heightened surveillance of our children, we are unable to conclude at this time that the daycare’s purposes for the collection of personal information in issue are inappropriate or unreasonable.

48. Consequently, we are no longer recommending that the organization cease its use of webcam monitoring.

49. We are asking that, within 30 days of the date of this report, the daycare:

  1. implement or provide a written commitment to implement the technological protections described at subparagraphs (i) – (iii) of paragraph 34 of this report; and
  2. provide this Office with a revised and updated version of its Webcam Viewing Policy and consent form that incorporates the recommendations at subparagraphs (iv) and (v) in paragraph 34.

Response to Recommendations

50. In July 2011, the daycare advised our Office that it has implemented all of our recommendations as follows:

  1. The list of users is continuously updated and associated passwords are kept up to date. The list of users is reviewed each month and passwords are deactivated as soon as parents advise the company or stop paying for the service.
  2. The HTTPS feature for connections to the video service was activated, to ensure that all data flowing between the video service and clients is encrypted.
  3. The IT service provider will regularly review the webcam service logs and ensure that the system logs are regularly reviewed for unusual activity (i.e. multiple failed login attempts, access by former clients);
  4. The Webcam Viewing Policy and consent form were updated to include a provision that sets out clear and significant consequences for a breach of the contract, which might include revocation of a parent’s webcam viewing privileges and, in cases of serious or repeated breaches, cancellation of a child’s enrolment with the daycare; and
  5. The Webcam Viewing Policy and consent form were updated to include a statement indicating that the integrity of the webcam viewing policy is ultimately dependent upon parental compliance with the terms of agreement because there is no technology that can be employed to enforce its terms. The new statement will alert parents who do not use the video service to risks that cannot be managed technologically and will promote contractual compliance among participating parents.

51. As the daycare has implemented all of our recommendations, we find that its webcam service now meets the legal obligations of the Act.

Conclusion

52. Accordingly, our Office concludes that the matter is resolved.

 

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: