Teresa Scassa - Blog

Displaying items by tag: surveillance

On March 29, I appeared before Ontario's Standing Committee on Social Policy on the topic of the government's proposed Bill 88. My statement, which builds on an earlier post about this same bill is below. Note that the Bill has since received Royal Assent. No definition (as proposed below) of electronic monitoring was added to the bill by amendment. None of the amendments proposed by the Ontario Information and Privacy Commissioner were added.

Remarks by Teresa Scassa to the Standing Committee on Social Policy of the Ontario Legislature – Hearing on Bill 88, An Act to enact the Digital Platform Workers' Rights Act, 2022 and to amend various Acts

March 29, 2022

Thank you for this invitation to appear before the Standing Committee on Social Policy. My name is Teresa Scassa and I hold the Canada Research Chair in Information Law and Policy at the University of Ottawa.

The portion of Bill 88 that I wish to address in my remarks is that dealing with electronic monitoring of employees in Schedule 2. This part of the Bill would amend the Employment Standards Act to require employers with 25 or more employees to put in place a written policy on electronic monitoring and to provide employees with a copy. This is an improvement over having no requirements at all regarding employee monitoring. However, it is only a small step forward, and I will address my remarks to why it is important to do more, and where that might start.

Depending on the definition of electronic monitoring that is adopted (and I note that the bill does not contain a definition), electronic monitoring can include such diverse practices as GPS tracking of drivers and vehicles; cellphone tracking; and video camera surveillance. It can also include tracking or monitoring of internet usage, email monitoring, and the recording of phone conversations for quality control. Screen-time and key-stroke monitoring are also possible, as is tracking to measure the speed of task performance. Increasingly, monitoring tools are paired with AI-enabled analytics. Some electronic monitoring is for workplace safety and security purposes; other monitoring protects against unauthorized internet usage. Monitoring is now also used to generate employee metrics for performance evaluation, with the potential for significant impacts on employment, retention and advancement. Although monitoring was carried out prior to the pandemic, pandemic conditions and remote work have spurred the adoption of new forms of electronic monitoring. And, while electronic monitoring used to be much easier to detect (for example, surveillance cameras mounted in public view were obvious), much of it is now woven into the fabric of the workplace or embedded on workplace devices and employees may be unaware of the ways in which they are monitored and the uses to which their data will be put. The use of remote and AI-enabled monitoring services may also see employee data leaving the country, and may expose it to secondary uses (for example, in training the monitoring company’s AI algorithms).

An amendment that requires employers to establish a policy that gives employees notice of any electronic monitoring will at least address the issue of awareness of such monitoring, but it does very little for employee privacy. This is particularly disappointing since there had been some hope that a new Ontario private sector data protection law would have included protections for employee privacy. Privacy protection in the workplace is typically adapted to that context – it does not generally require employee consent for employment-related data collection. However, it does set reasonable limits on the data that is collected and on the purposes to which it is put. It also provides for oversight by a regulator like the Ontario Information and Privacy Commissioner (OIPC), and provides workers with a means of filing complaints in cases where they feel their rights have been infringed. Privacy laws also provide additional protections that are increasingly important in an era of cyber-insecurity, as they can address issues such as the proper storage and deletion of data, and data breach notification. In Canada, private sector employees have this form of privacy protection in Quebec, BC and Alberta, as well as in the federally-regulated private sector. Ontarians should have it too.

Obviously, Bill 88 will not be the place for this type of privacy protection. My focus here is on changes that could be made to Bill 88 that could enhance the small first step it takes on this important issue.

First, I would encourage this committee to recommend the addition of a definition of ‘electronic monitoring’. The broad range of technologies and applications that could constitute electronic monitoring and the lack of specificity in the Bill could lead to underinclusive policies from employers who struggle to understand the scope of the requirement. For example, do keypad entry systems constitute electronic monitoring? Are vehicular GPS systems fleet management devices or electronic employee monitoring or both? I propose the following definition:

electronic monitoring” is the collection and/or use of information about an employee by an employer, or by a third party for the benefit of an employer, by means of electronic equipment, computer programs, or electronic networks. Without limiting the generality of the forgoing, this includes collection and use of information gathered by employer-controlled electronic equipment, vehicles or premises, video cameras, electronic key cards and key pads, mobile devices, or software installed on computing devices or mobile devices.

Ontario’s Privacy Commissioner has made recommendations to improve the employee monitoring provisions of Bill 88. She has proposed that it be amended to require a digital copy of all electronic-monitoring policies drafted to comply with this Bill to be submitted to her office. This would be a small additional obligation that would not expose employers to complaints or liability. It would allow the OIPC to gather important data on the nature and extent of electronic workplace monitoring in Ontario. It would also give the OIPC insight into current general practices and emerging best practices. It could be used to understand gaps and shortcomings. Data gathered in this way could help inform future law and policy-making in this area. For example, I note that the Lieutenant Governor in Council will have the power under Bill 88 to make regulations setting out additional requirements for electronic monitoring policies, terms or conditions of employment related to electronic monitoring, and prohibitions related to electronic monitoring. The Commissioner’s recommendation would enhance both transparency and data gathering when it comes to workplace surveillance.

Published in Privacy

The long-term care context is one where privacy interests of employees can come into conflict with the interests of residents and their families. Recent reported cases of abuse in long-term care homes captured on video camera only serve to highlight the tensions regarding workplace surveillance. A June 2017 decision of the Quebec Court of Appeal, Vigi Santé ltée c. Syndicat québécois des employées et employés de service section locale 298 (FTQ), considers the workplace privacy issues in a context where cameras were installed by the family members of a resident and not by the care facility.

The facts of the case were fairly straightforward. The camera was installed by the family of a resident of a long term care facility, but not because of any concerns about potential abuse. Two of the resident’s children live abroad and the camera provided them with a means of maintaining contact with their mother. The camera could be used in conjunction with Skype, and one of the resident’s children present in Quebec regularly used Skype to receive updates about his mother from the private personal care person they also paid to be with their mother for part of the day, six days a week. The camera provided a live feed but did not record images. The operators of the long-term care facility did not have access to the feed. The employees of the facility were informed of the presence of the camera and none objected to it. The privately hired personal care worker was often present when staff provided care, and the court noted that there were no complaints about the presence of this companion. The family never complained about the services provided to the resident; in fact, they indicated that they were very satisfied. The resident had been in two other facilities prior to moving to this one; similar cameras had been used in those facilities.

The employees’ union challenged the installation of the video, and two questions were submitted to an arbitrator for determination. The first question was whether the employer could permit the family members of a resident to install a camera in the resident’s room for the sole purpose of allowing family members to see the resident. The second was whether the employer could permit family members to install a camera in the room of a resident with the goal of overseeing the activities of employee caregivers. The arbitrator had ruled that, as far as employees were concerned, in both cases the camera was a surveillance camera. He went on to find that the employer had no justification in the circumstances for carrying out surveillance on its employees. Judicial review of this decision was sought, and a judge of the Quebec Superior court confirmed the decision. It was appealed to the Court of Appeal.

Under the principles of judicial review, an arbitrator’s decision can only be overturned if it is unreasonable. The Court of Appeal split on this issue with the majority finding the decision to have been unreasonable. The majority emphasized that the arbitrator had found that the family’s motivation for installing the camera was not to carry out surveillance on the staff, and also highlighted the fact that none of the staff had complained about the presence of the camera.

Although the majority agreed that the privacy guarantees of the Quebec Charter of Human Rights and Freedoms protected employees against unjustified workplace surveillance by their employer, they found that the camera installed by the family for the purpose of maintaining contact with a loved one did not constitute employee surveillance. Further, it was not carried out by the employer. They noted in particular the fact that the images were not recorded and the feed was not accessible to the employer. The majority criticized the arbitrator for characterizing the family’s decision to install the camera as being motivated by a disproportionate concern (“une inquietude démesurée”) over their mother’s well-being, because there was no evidence of any mistreatment.

The majoirty cited jurisprudence to support its view that a camera that captured activities of workers was not necessarily a surveillance camera. It noted several Quebec arbitration cases where arbitrators determined that cameras installed by employers to provide security or to protect against industrial espionage were permissible, notwithstanding the fact that they also captured the activities of employees. Any surveillance of employees was incidental to a different and legitimate objective of the employer.

The majority went further, noting that in this case, the issue was whether an individual (or their family) had a right to install a camera in their own living space. For the majority, it was significant that the care home was the resident’s permanent living space because she had lost her ability to live on her own. The camera allowed her to remain in greater contact with her loved ones, including two children who lived abroad. They considered that the family’s choice in this matter had to be given its due weight, and found that the arbitrator should have ruled, in answer to the first question, that the employer could permit the installation of a camera, by family members, for the goal of permitting the family members to maintain contact with a resident.

The second question related to the rights of family members to install cameras with the goal of carrying out surveillance on caregivers. The majority declined to answer this question on because the facts did not provide a sufficient context on which to base a decision. The Court noted that the answer would depend on circumstances which might include whether there had already been complaints or reported concerns, the nature and extent of notice provided to employees, and so on.

Justice Giroux, in dissent, found that it was reasonable for the arbitrator to have characterized the camera as a surveillance camera. The arbitrator had noted that the camera was placed in such a way as to allow for a continuous view of all care provided by employees to the resident. The resolution was good enough to identify them, and in some cases to hear them. While there was no recording of the feed, it was possible to create still photographs through screen capture. The arbitrator had also turned his attention to the special nature of the care home, noting that it was a home to residents but at the same time was a workplace for the employees. The workplace was governed by a collective agreement, and disputes about working conditions were meant to be resolved by an arbitrator, meaning that courts should exercise deference in review. The arbitrator had found that by permitting the installation of the camera by the family of the resident, the employer had adopted as its own the family’s reasons for doing so, and was responsible for establishing that the level of surveillance was consistent with the Quebec Charter. The arbitrator had found that the family members had demonstrated a disproportionate level of concern, and that this could not be a basis for permitting workplace surveillance. He concluded that in his view the decision of the arbitrator should have been upheld.

 

Published in Privacy

Many Canadians are justifiably concerned that the vast amounts of information they share with private sector companies – simply by going about their day-to-day activities – may end up in the hands of law enforcement or national security officials without their knowledge or consent. The channels through which vast amounts of personal data can flow from private sector hands to law enforcement with little transparency or oversight can turn the companies we do business with into informers and make us unwittingly complicit in our own surveillance.

A recent Finding of the Office of the Privacy Commissioner of Canada (OPC) illustrates how the law governing the treatment of our personal information in the hands of the private sector has been adapted to the needs of the surveillance state in ways that create headaches for businesses and their customers alike. The Finding, which posted on the OPC site in November 2016 attempts to unravel a tangle of statutory provisions that should not have to be read by anyone making less than $300 per hour.

Basically, the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how personal information is collected, used and disclosed by private sector organizations at the federal level and in all provinces that do not have their own equivalent statutes (only Quebec, B.C. and Alberta do). One of the core principles of this statute is the right of access to one’s personal information. This means that individuals may ask to be informed about the existence, use and disclosure of their personal information in the hands of an organization. They must also be given access to that information on request. Without the right of access it would be difficult for us to find out whether an organization was in compliance with its privacy policies. The right of access also allows us to verify and request correction of any erroneous information.

Another core principle of PIPEDA is consent. This means that information about us should not be collected, used or disclosed without our consent. The consent principle is meant to give us some control over our personal information (although there are huge challenges in this age of overly-long, vague, and jargon-laden privacy policies).

The hunger for our personal information on the part of law enforcement and national security officials (check out these Telco transparency reports here, here and here) has led to a significant curtailment of both the principles of access and of consent. The law is riddled with exceptions that permit private sector companies to disclose our personal information to state authorities in a range of situations without our knowledge or consent, with or without a warrant or court order. Other exceptions allow these disclosures to be hidden from us if we make access requests. What this means is that, in some circumstances, organizations that have disclosed an individual’s information to state authorities, and that later receive an access request from the individual seeking to know if their information has been disclosed to a third party, must contact the state authority to see if they are permitted to reveal that information has been shared. If the state authority objects, then the individual is not told of the disclosure.

The PIPEDA Report of Findings No. 2016-008 follows a complaint by an individual who contacted her telecommunications company and requested access to her personal information in the hands of that company. Part of the request was for “any information about disclosures of my personal information, or information about my account or devices, to other parties, including law enforcement and other state agencies.” (at para 4). She received a reply from the Telco to the effect that it was “fully in compliance with subsections 9(2.1), (2.2), (2.3) and (2.4) of [PIPEDA].” (at para 5) In case that response was insufficiently obscure, the Telco also provided the wording of the subsections in question. The individual complained to the Office of the Privacy Commissioner (OPC).

The OPC decision makes it clear that the exceptions to the access principle place both the individual and the organization in a difficult spot. Basically, an organization that has disclosed information to state authorities without the individual’s knowledge or consent, and that receives an access request regarding this disclosure, must check with the relevant state authority to see if they have any objection to the disclosure of information about the disclosure. The state authorities can object if the disclosure of the disclosure would pose a threat to national security, national defence or the conduct of international affairs, or would adversely impact investigations into money laundering or terrorist financing. Beyond that, the state authorities can also object if disclosure would adversely impact “the enforcement of any law of Canada, a province or a foreign jurisdiction, an investigation relating to the enforcement of any such law, or the gathering of intelligence for the purpose of enforcing any such law.” If the state authorities object, then the organization may not disclose the requested information to the individual, nor can they disclose that they contacted the state authorities about the request, or that the authorities objected to any disclosure. In the interests of having a modicum of transparency, the organization must inform the Privacy Commissioner of the situation.

The situation is complex enough that in its finding, the OPC produced a helpful chart to guide organizations through the whole process. The chart can be found in the Finding.

In this case, the Telco justified its response to the complainant by explaining that if pushed further by a customer about disclosures, it would provide additional information, but even this additional information would be necessarily obscure. The Commissioner found that the Telco’s approach was not compliant with the law, but acknowledged that compliance with the law could mean that a determined applicant, by virtue of repeated requests over time, could come up with a pattern of responses that might lead them to infer whether information was actually disclosed, and whether the state authority objected to the disclosure. This is perhaps not what Parliament intended, but it does seem to follow from a reading of the statute.

As a result of the complaint, the Telco agreed to change its responses to access requests to conform to the requirements outlined in the table above.

It may well be that this kind of information-sharing offers some, perhaps significant, benefits to society, and that sharing information about information sharing could, in some circumstances, be harmful to investigations. The problem is that protections for privacy – including appropriate oversight and limitations – have not kept pace with the technologies that have turned private sector companies into massive warehouses of information about every detail of our lives and activities. The breakdown of consent means that we have little practical control over what is collected, and rampant information sharing means that our information may be in the hands of many more companies than those with which we actively do business. The imbalance is staggering, as is the risk of abuse. The ongoing review of PIPEDA must address these gaps issues – although there are also risks that it will result in the addition of more exceptions from the principles of access and consent.

 

 

 

 

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law