The breaking down of barriers between the professional and personal spheres: Does privacy still mean something?

Remarks at the Cybercrime: How to ensure the security of individuals and businesses, while protecting fundamental freedoms Symposium

November 16, 2012
Lyon, France

Address by Jennifer Stoddart
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Thank you for inviting me to talk to you today and thanks to the organizers for including privacy issues in this cybercrime symposium.

Many of us like to keep our personal life separate from our professional life. Home is home and work is work.

Many people feel that it is important to maintain a clear barrier between these parallel lives. After all, this is what allowed Clark Kent to also be Superman.

Our expectations of privacy may differ depending on whether we are carrying out a personal activity or a professional activity.

These expectations don't disappear when we are at work—they are still present.

In fact, privacy protection is an important concern in the workplace. Organizations need to adopt concrete measures to protect the personal data of clients and employees alike.

I will first discuss the technology aspect of this issue and then the human aspect, using examples from the Office of the Privacy Commissioner of Canada and from Canadian case law.

Technology perspective

The breaking down of barriers between our personal and professional lives is fundamentally linked to the information technology revolution.

In fact, our access to powerful computer technology, mainly on the general consumer market, is largely responsible for this.

Today, individuals have access to hardware and software at home that is just as powerful as their equipment at work and, in some cases, even more powerful.

This has led to the consumerization of information technology, in other words, the tools normally intended for private use being used to carry out professional activities.

A basic example of this trend relates to the practice of taking work home on a USB key which can be plugged into a personal computer.

Because they have access to unprecedented technological capacity, individuals may, when they are at work, violate the privacy of third parties, sometimes deliberately, but often due to negligence.

In 2006, an employee of the Canada Revenue Agency downloaded the files of 2,700 taxpayers onto 16 CD-ROMs.

She left the office with the 16 CDs and saved the contents onto her boyfriend's personal computer.

The employee allegedly did this to prepare for arbitration about a complaint she had filed against her employer.

Ostensibly, she only saw these taxpayers' files as the product of her work, which she wanted to use to support her case. Clearly, she neglected to take into account the fact that the files comprised personal data.

The most troubling aspect of this story is that the Office of the Privacy Commissioner of Canada was not informed about the situation until 2011, that is, five years after the fact and only after the story hit the press.

Why? Because the Canada Revenue Agency's security staff also took no account of the personal nature of the data when the breach was discovered —as was the case with the employee.

This kind of situation would not have been possible in the past. The informational privacy of 2,700 people was compromised because of the technological tools to which the employee had access.

The story is a good illustration of the technological and human aspects of the erosion of barriers between the public and private spheres.

Increasingly, the consumerization of IT is synonymous with “bring your own device”, or BYOD, a trend that has workers connecting to a corporate network using their own personal tablets and smartphones.

In other words, you no longer need a diskette, CD or USB key to copy half the files in an organization's network and consult them at home. You can now connect directly to the corporate network with your smartphone and have access to all the files in real time.

More and more businesses are allowing this practice. Last August, the U.S. government released a framework document to support federal institutions that want to implement a BYOD program.

Employees find it convenient since they only need to carry one device with them. Organizations see it as a way to increase productivity and reduce the cost of purchasing equipment, as well as a way to recruit and retain young, tech-savvy workers.

However, access to corporate networks means access to the personal data of clients or employees. The risks associated with BYOD are also privacy risks.

In the event of a dispute, how can computer forensic experts separate personal from corporate information on a device that belongs to an individual?

And what about the individual's personal information—including the device's unique identifier—that can be found on the corporate network?

Clearly, BYOD entails certain risks which employers must recognize and address.

Human perspective

Up until now, I have talked about situations where the use of technology by employees has contributed to the breaking down of barriers between the professional and personal spheres.

Privacy breaches can also occur when an individual uses employer-owned equipment for personal reasons without permission.

The second part of my presentation will focus on the human aspect.

The human factor is well known in security circles. Organizational security experts have repeated this for decades. The weakest link in network security is almost always a person.

People sometimes use the resources they have at the office for purposes other than carrying out their assigned work.

The use of employer-owned computer equipment for personal purposes raises the issue of the reasonable expectation of privacy.

The Supreme Court of Canada dealt with this issue recently in R. v. Cole.

In this criminal case, the accused was a high school teacher.

The school had provided him with a laptop for his work and allowed him to use it for personal purposes. While doing routine maintenance on the laptop, the school's computer technician discovered that the teacher had pornographic pictures of a minor age student on it.

School authorities confiscated the computer and copied the files it contained onto diskettes. The computer and the copies were handed over to the police, who examined everything and made copies for a computer forensic analysis, without a search warrant.

The teacher was charged with possession of child pornography and unauthorized use of a computer.

The accused argued that, under section 8 of the Canadian Charter of Rights and Freedoms, he had a reasonable expectation of privacy regarding the information contained on the computer.

He asserted that the evidence should be excluded pursuant to subsection 24(2) of the Charter. Section 8 protects against unreasonable search and seizure, and subsection 24(2) states that evidence should be excluded if the admission of it would bring the administration of justice into disrepute.

The Supreme Court of Canada heard the case and rendered its decision last month. The judges unanimously agreed that the rights of the accused had been violated under section 8 of the Charter.

However, the majority of the Court held that the evidence was nonetheless admissible under subsection 24(2).

The Court clearly affirmed that employees have a reasonable expectation of privacy in the workplace, depending on the circumstances.

In addition to computer equipment, employees often have access to vast amounts of personal information in the course of their duties.

Some people use personal data for purposes other than those permitted by the employer.

Too often, technological access controls to organizational databases are insufficient to block human curiosity or criminal intent.

In some cases of invasion of privacy, the victims can seek redress from the courts. For example, under the Personal Information Protection and Electronic Documents Act (PIPEDA), a federal act that governs privacy issues in private sector organizations, in some circumstances individuals can seek redress, including damages, by taking the matter to the Federal Court.

In such cases, the question arises as to who should be held responsible for the offence under the Act: the organization or the employee? Certainly, the organization bears a lot of responsibility for acts committed by its employees in the exercise of their duties.

(I would like to clarify here that PIPEDA gives the Privacy Commissioner of Canada jurisdiction over most commercial activities conducted in the country, except in the three provinces with substantially similar legislation, one of which is Quebec.)

A recent investigation by the Office of the Privacy Commissioner involving the Greater Toronto Airports Authority, or GTAA, demonstrates how a conflict in the personal sphere can generate serious consequences for an organization if it spills over into the professional sphere.

In the initial complaint to the Office of the Privacy Commissioner, an individual alleged that a GTAA employee had recorded personal data without his consent and that the GTAA had not responded satisfactorily to his request for access to this personal information.

The complainant alleged that his ex-wife, a GTAA employee, had used airport surveillance equipment in an inappropriate manner to take pictures of his family and him while they were at the airport.

The complainant reported his concerns to the GTAA and requested access to the personal information held by the organization. Dissatisfied with the airport's response, he made a complaint to the Office of the Privacy Commissioner, which determined that his complaint was founded.

I submitted an application to the Federal Court referring to the GTAA's failure to meet its obligations under PIPEDA when its employee recorded and used the complainant's personal information without his knowledge or consent. Furthermore, I pointed out that the GTAA failed to accede to the complainant's request for access to his personal information.

We eventually reached a settlement with the GTAA under which the complainant obtained access to all of his personal information, and new procedures for using surveillance cameras were implemented.

In the meantime, the complainant has applied to the Court to seek various remedies, including damages. The Court has not yet ruled on this matter.

Whereas in the GTAA case, the organization was held responsible for the invasion of privacy committed by its employee, in a similar case, the employee was held responsible. The events in the case in question, Jones v. Tsige, occurred in the province of Ontario.

In this second case, which was heard by the Court of Appeal for Ontario, an employee of a major bank consulted the banking records of another employee, the ex-spouse of the man she was in a relationship with, at least 174 times in a two-year period.

These surreptitious consultations, conducted for no legitimate purpose, obviously contravened the bank's policies and procedures.

The plaintiff claimed damages for invasion of privacy.

Although a lower court dismissed her action because invasion of privacy is not an offence under Ontario law, the Court of Appeal for Ontario created a new right of action respecting the tort of “intrusion upon seclusion.”

The Court of Appeal ruled that the respondent had committed the offence and ordered her to pay the plaintiff $10,000 in damages.

The Court held that the tort of intrusion upon seclusion comprises three elements:

  • the defendant's conduct must be intentional;
  • the defendant must have invaded the other person's private affairs;
  • a reasonable person would regard the invasion of privacy as highly offensive and a source of distress, humiliation or anguish.

These two cases demonstrate that, whether in a professional setting or in a public place, people take it for granted that their expectations of privacy will be met.

More importantly, these examples also show that employers have an important role to play in ensuring that their employees respect the privacy rights of clients and co-workers alike.

Conclusion

The breaking down of barriers between the personal and professional spheres creates new social realities and new challenges for the protection of privacy.

We are grappling with new legal issues, but people's expectations regarding their fundamental right to privacy remain the same.

Although the right to privacy still means something in the current context, how we exercise this right has to be consistent with today's reality.

From a legal standpoint, a crucial issue raised by the breaking down of barriers between the professional sphere and the personal sphere relates to responsibility. If an employee invades someone's privacy while using corporate information or equipment for purposes unrelated to work, who is responsible?

As we saw in the case involving the Greater Toronto Airports Authority, under PIPEDA, the organization is responsible for the handling of the personal information in its possession.

The Office of the Privacy Commissioner has published a reference document on this subject jointly with Alberta and British Columbia, two provinces with legislation substantially similar to PIPEDA. The document is entitled Getting Accountability Right with a Privacy Management Program.

Another recent publication by the Office of the Privacy Commissioner is intended to fill gaps we have identified in the legal community in particular: it is called A Privacy Handbook for Lawyers – PIPEDA and Your Practice.

Moreover, the Court of Appeal for Ontario also assigned individual responsibility in Jones v. Tsige. We will follow common law developments in this area with great interest.

One way or another, in a world where the consequences of human nature are magnified by unprecedented technological power, professionalizing everyone who has access to personal information is now more essential than ever.

Thank you again for inviting me to talk about this hot topic. I am pleased to have been given the opportunity to discuss it further with you and my learned colleague from the CNIL, Mr. De Givry.

Date modified: