Home / Privacy Resources / Article Search / PrivaTalk - April 2001

PrivaTalk - April 2001

PrivaTalk

April 2001
Volume 1
Issue 3

Monitoring Employees’ E-mail and Internet Use in the Workplace

With their businesses’ best interests in mind, business owners are increasingly monitoring their employees’ use of e-mail and the Internet on the job. According to a survey by the American Management Association, nearly three quarters of major U.S. firms (73.5 percent) reported active surveillance of employee activities (including e-mail, voicemail and Internet usage) during the year 2000.

Although some employees might view this watchful eye as an invasion of privacy, businesses have concerns that go beyond being nosey or even keeping such a close eye on their employees' productivity. Small businesses can't afford network congestion or a clogged bandwidth because of employees' non-business Web use. Furthermore, an employer can be held legally liable if an employee is accessing and sharing offensive material. For example, if one employee offends another by showing pornography online, the employer could have a sexual harassment case on its hands.

Canadian courts have not specifically addressed the issue of e-mail privacy. In the United States, courts have found that an employee has no reasonable expectation of privacy in an e-mail sent or received on the employer’s system. In 1999, a Canadian arbitrator came to much the same conclusion in the case of Camosun College v. CUPE, finding that there could be no confidentiality of an e-mail message sent over the employer’s system.

E-mail monitoring becomes more complex when the employee uses the employer’s computer and network to connect to the Internet, but sends and receives e-mail using a third party provider such as Hotmail or Yahoo!. Unless an employer has a policy against using the company’s computer for personal use, it is likely that the employee would have a reasonable expectation of privacy in this personal e-mail account.

Employers have very legitimate concerns that justify monitoring an employee’s Internet usage, such as wasted employee time and illegal activities conducted by employees on the Internet, for which the employer could be held liable. If you think Internet monitoring is right for your business, you have a number of options.

Filtering software, sometimes referred to as Internet access management software tells you when your employees are online, what sites they are visiting and how much bandwidth they use while online. Alternatively, you could buy software that actually takes pictures, called screen shots, every so often of where your employees have been on the Web. You will not only know where your employees have been but also what they've been doing while there. If your employees have visited a chat room, for example, you'll be able to see what they have written.

I recommend less intrusive measures – if your objective is to keep your employees off sites not related to their job, Web-blocking software will do the trick by blocking visits to gaming, shopping or pornographic sites. Not only is Web-blocking software cheaper, but by using it, you won't have to set aside time to go through reports and your employees won't feel spied on.

Whether inappropriate e-mails or Internet usage are just cause for dismissal appears to be a question of fact. Canadian courts and arbitrators have gone both ways on the issue. One of the most effective ways for a company to avoid inappropriate e-mail and Internet use, and protect itself in a wrongful dismissal suit is to develop a comprehensive e-mail and Internet use policy. Each employee must be made aware of:

1. the proper use of the company's computer technology;
2. what, if any, personal use of these resources is permitted;
3. the fact that the employer can and will be monitoring employee e-mail and Internet activity; and
4. the penalties (up to and including discharge) for misuse of the company's system.

A comprehensive policy should take care of any reasonable expectation of privacy an employee might have in their company e-mail. It should also provide the transparency necessary to avoid any liability under the Criminal Code (interception) or the Personal Protection and Electronic Documents Act. Note that under the Personal Protection and Electronic Documents Act an employer would also be required to demonstrate a legitimate purpose for collecting the data. However, in the interest of public policy, preventing harassment or illegal on-line activity would be likely to meet this legitimacy test.


Does Personal Information include Anonymized or Aggregated Data?

While the ability of an organization to collect, use and disclose personal information which identifies an individual is clearly restricted by the federal Personal Information Protection and Electronic Documents Act (the “Act”), there appears to be doubt remaining concerning the application of the Act to databases of anonymized or aggregated information about individuals.

Personal data is routinely anonymized and aggregated in a wide variety of business applications. Research for the marketing and health industries often involves the use and disclosure of non-identifiable data in order to create statistical profiles of relevant populations. In such cases, the data is either collected on an anonymous basis (e.g., through questionnaires which do not ask for identifying information) or the identifying information is removed before the database is assembled.

The concern of the health care sector that the restrictions on the disclosure of personal information would hinder medical research was a major factor in the Senate amendments to the Act which delayed the application of the Act to health information. These concerns about the use of anonymized data do not seem to be justified as the Act does not appear to apply to anonymized information at all. The definition of "personal information" in section 2(l) restricts the scope of the Act to "information about an identifiable individual." It would appear clear that the identification of the individual must be from the information itself. Section 4.5.3 of the CSA Code (Schedule 1 to the Act) also refers to obsolete personal information being "destroyed, erased or made anonymous," which seems to imply that the effect of all three options is roughly the same.

However, there are still gray areas which are unclear, especially in the Internet realm. Increasingly, technological advances permit companies to collect and employ "semi-anonymous" data about individuals which, while not permitting the identification of the individual, nevertheless allows the targeting of that individual for advertising or other purposes. The use of a number of these technologies has lead to controversy. For example, up until April, 2000, Mattel embedded software called "Brodcast' in several of its childrens software titles. The Brodcast software automatically connected a user's computer to the Internet and relayed information to Mattel. Mattel subsequently disabled the software, although it claimed that no laws were violated since the software did not transmit any personal information, only "a product identification number and some technical information and downloads advertising products targeted towards the user". Whatever the legal position may be under U.S. law, Mattel's software would not seem to be a violation of the Act so long as no information was sent which could identify an individual.

Internet advertising systems provide another example of the use of "semi-anonymous" data to target users. It is not necessary for Internet advertisers to know the names of the users to whom advertisements are directed, so long as they know that a certain number of “eyeballs” have been exposed to their messages. Naturally, the messages are more valuable if a certain type of "eyeballs" can be guaranteed to have received the advertising message. A number of Internet advertising companies claim to use a system for profiling computer users which allows individualized banner advertising to be served to a user's computer based on Internet access habits, without the need for either the advertising company or its customers knowing the identity of the specific user. While it appears that these Internet advertisers do not collect data which gives them the ability to identify users in an off-line sense, the advertiser nevertheless has the ability to differentiate between users for the purpose of serving targeted advertising. Can it be said that identifying an Internet user with a unique code or "cookie" which allows the serving of targeted advertisements to the user is any different from identifying that user by means of a name, telephone number or address?

Other than the cookies used by on-line advertisers, probably the most common use of "semi-anonymous" data on the Internet is the collection and use of e-mail addresses, which are often required in order to register at sites and obtain services. Sites will sometimes use this e-mail information to target users with e-mail advertisements or promotional material. While such activities may be subject to other restrictions, at first glance they do not appear to violate the Act. Because several individuals can use a single e-mail address, the e-mail address itself does not identify an individual, and, if an individual's name is not connected to the address, it is arguable that an e-mail address is not information about an "identifiable individual". In many ways, an e-mail address is no different from an off-line street address that does not identify an individual; it does not appear that the Act is intended to prevent the collection or use of street addresses for non-individualized mailings.

However, the Act's use of the word "identifiable" (both in the English and French versions) implies that it is the possibility that an individual could be identified that governs. It is therefore critical to determine whether it is possible that the "semi-anonymous" data could be used to trace the off-line identity of the user, even if the information collector does not use the data in that way. The U.K Court of Appeal used such an analysis in the 2000 case of R. v. Department of Health. Source Informatics Ltd. was a company that had made an arrangement to collect prescription information from pharmacists with the name of the patient removed. The appeal court found that Source would in some rare instances be prevented from accessing the prescription information if the nature of the disease or the prescription would be so unusual as to permit the identification of the patient despite the removal of the patient's name from the prescription information. The Court of Appeal was clear in holding that the onus is on the user of the information to ensure that data cannot be used to identify the individual. This type of analysis might be used to argue that the Act should apply to the collection and use of e-mail addresses. While, as noted above, an e-mail address in itself may not permit the identification of an individual, it is in many cases possible to trace the identity of the individual behind the address by searching Internet records.

Internet companies that rely on the collection of "semi-anonymous" data must assess the extent to which it is possible to locate or identify individuals from this data. Many companies which collect information which they think is anonymous could nevertheless be caught by the provisions of the Act if it is possible to work back from that data to the identity of an individual. In view of the stiff penalties which can be imposed as a result of a violation of the Act (not to mention the public approbation which usually occurs as a result of a real or perceived privacy breach), Internet companies should likely err on the side of caution and consider obtaining consent for the collection and use of "semi-anonymous" data. If this is not possible, Internet companies which collect such data must at least ensure that proper safeguards are in place to prevent the possibility that the anonymous data can ever be used to identify an individual.


Ontario’s Smart Card Initiative – Are the Privacy Concerns Well-founded?

The Ontario government is pressing ahead with its controversial “smart” identity card, a multipurpose card that would replace OHIP cards, drivers' licences, birth certificates, hunting and fishing licences, and any other cards that are used to access government services. The government insists that protection of privacy is a paramount concern in the development of smart cards, but the Federal Privacy Commissioner is extremely skeptical.

The province plans to test the waters with smart-card pilot projects in 2002, and the following year, it plans to roll smart cards out to the public in a larger scale. The Harris government is expected to table legislation this spring that would clear the way for the introduction of the technology. With plans to allow cardholders a choice about what information their smart card contains, the province hopes to alleviate concerns about privacy. Ann Cavoukian, the Ontario Privacy Commissioner favours this approach, since it gives the individual control over their information. For example, while those wanting access to health services will need a card identifying them, each cardholder can decide whether the card will also contain vital medical information – blood type, recent surgery, diseases or heart condition – that could be downloaded without authorization if the patient was not able to get consent.

In addressing concerns about identity theft that arise if a smart card is stolen or lost, the government is looking at integrating biometrics into smart cards, a proposal that could require fingerprinting or retinal scanning of Ontarians. However, George Radwanski, the Privacy Commissioner of Canada warned that biometrics simply complicates the matter by throwing more privacy concerns into the equation.

Radwanski’s perspective is that despite government assurances that privacy will be protected, there is plenty of room for privacy invasions in the future. The example he used during his speech to the Canadian Club on March 26th was the situation where a police officer pulling somebody over for a traffic violation might peek into health records to make sure the person isn't psychologically disturbed. Radwanski is not opposed to smart card technology, as long as the information it contains or accesses is sufficiently segregated and secured. With so much information in one place, the chances for abuse of the technology increase dramatically. The Management Board of Cabinet said the Commissioner’s speech was inaccurate and misleading.

Although it is too soon to tell whether the Commissioner’s concerns are well-founded or how the Ontario government will deal with these concerns more directly, it is clear that the Smart Card Project has a bumpy road ahead. The purpose of the smart card is to improve the way the Ontario government delivers services and manages its operations. The question becomes, do the savings from a more efficient system really offset the cost of developing the technology? Smart cards also eliminate the need to carry many different cards in order to deal with the government. But again, is the convenience of having all government cards consolidated into one worth it? Just because the smart technology is there, doesn’t necessarily mean that a government should use it. There is still a great deal of work to be done, and studies to be undertaken to determine the impact of imposing smart cards on Ontarians.

The Australian Privacy Bill – Weak Privacy Protection?

The Privacy Amendment (Private Sector) Bill 2000 comes into force on December 21, 2001. The Bill puts into place a framework for the handling of personal information by commercial organizations operating in Australia.

Many of the requirements of Bill 2000 are similar to those of the Personal Information Protection and Electronic Documents, formerly known as Bill C-6. For example, commercial databases storing personal information will have to be secure and open to scrutiny by individuals seeking to correct their personal information. Also, companies will not be able to sell lists of their customers without obtaining their customers' consent. Interestingly, Bill 2000 has separate additional requirements for website operators. For example, Internet users must be told who exactly is collecting their information and how it is used, stored and disclosed. In addition, on-line companies in particular must take steps to protect information they hold from unauthorized access, including securing data by means of encryption.

Bill 2000 is subject to numerous exemptions, which has led to some concern as to how effective the Bill will really be. Most controversial is the exemption of all small businesses from the legislation unless they trade in personal information or are in the health sector, or voluntarily choose to fall within the scope of the Act and are thus inserted into the Privacy Commissioner’s register. Thus, a large number of businesses will be automatically exempt from the law. The Bill also allows personal information to be shared with related companies but provides insufficient guidelines as to the limits to this rule. This could lead to unforeseen uses of and access to personal information provided to a company in trust.

Bill 2000 allows industry bodies to develop codes of practice and to be wholly responsible for handling complaints. The deference that Australia's Privacy Commissioner is required to show towards industry codes of practice has also caused concerns about the legislation's clout. That is, once the Commissioner approves a code submitted to him, the Commissioner cannot audit compliance, review decisions or direct code adjudicators on resolving complaints. The national privacy principles outlined in the legislation will apply by default only to businesses that don’t develop their own code and get approval for it.

The Australian Competition and Consumer Commission found in mid-March that Australian Internet-based businesses fail to provide adequate privacy policies for consumers. More than 3000 sites internationally were examined for, among other things, disclosure of contact information, refund and warranty policies and a privacy policies.

9 out of 10 Australian companies adequately disclosed contact information on their sites, but fewer than 3 out of 10 disclosed a privacy policy. Thus, many Australian companies are not providing consumers with adequate disclosure about their information-handling practices. However, it is unclear whether Bill 2000 will help, given that the legislation has been designed so as not to impose excessive costs on businesses. The scope of Bill 2000 is limited because of the broad exemptions, whereas Canada’s law has an expansive scope with limited exemptions that is much more onerous on businesses.

The European Commission’s Article 29 Working Party recently concluded that the data protection provided by Australia’s privacy laws is inadequate from a trade perspective. The Working Party had a number of concerns. They particularly found fault with the complexity of the assessment required by the Bill to determine whether an organization constitutes a small business and whether or not it is exempt from the law. The Working Party stated that the uncertainty created renders it “necessary to assume that all data transfers to Australian businesses are potentially to a small business operator which is not subject to the law unless the name of the small business is inserted in the Privacy Commissioner’s register”. The group was also critical of the Bill’s restrictions on the collection of data, with almost no restrictions on how the data may be used once it has been collected. Another major concern, particularly for the EU – the Bill only refers to Australian citizens and thus personal data concerning citizens of other countries who are not permanent residents are beyond the scope of the new laws.

The EU is attempting to make it quite clear that they can control the privacy legislative direction of other countries. Australia’s Attorney General accused the Working Party of not understanding the Australian law and imposing standards that are too onerous for most countries to meet, including the EU’s own members. The Working Party sat on the fence with respect to the adequacy of Canada’s legislation. It’s now time for Australia and the European Commission to begin negotiating, a process that could lead to the same ugly situation that exists between the United States and the EU. American businesses and the Bush Administration are objecting strongly to a set of proposed European Commission privacy rules that would require a set of "standard clauses" for contracts between American and European firms. Such clauses would essentially obligate American firms to operate under European Union privacy standards.

Bill 2000 is a good example of how efforts to introduce privacy legislation into the private sector as slowly and cautiously as possible can backfire and cause much uncertainty with respect to its clout in the business community and its legitimacy on the international front.


Study involving Canadian Internet Users finds On-line Privacy Policies Build Consumer Trust

Columbus Group and Ipsos-Reid released the results of a joint study at the beginning of March. The data for the study was collected by surveying 2,500 Internet users (1,000 Internet users were surveyed on-line, and a further 1,500 Internet users were interviewed on the telephone). Ipsos-Reid assures that the results of the study are accurate within 2.5 percentage points, higher or lower. The findings indicated that Canadian Internet users are willing to share personal information on-line, but their degree of willingness depends to a large extent on whether they trust the organization in question.

Contrary to popular belief, 82% of Canadian Internet users have shared personally identifiable information on a Web site. However, it is clear that information is submitted on one site rather than another for definite reasons. 74% of those surveyed indicated that they felt comfortable providing information on a site that belonged to a reputable company. 55% claimed that upon reading the Web site’s privacy policy, they were more willing to provide their information. Among Internet users who have never shared personal information on-line, 57% said that a solid on-line privacy policy, one that explained the intended use of submitted information, might make them reconsider and share information.

Among the most common reasons cited for providing personal data (named by 62 percent who had done so) was the need to complete a site registration form to access premium content. Some 57 percent have provided personal information while purchasing goods or services, and 52 percent have done so for on-line contest entries.

This study indicates that for e-business to succeed, companies must develop trusting relationships with their customers. On-line privacy concerns can be mitigated by being open about information-handling practices. Organizations that have not yet recognized the importance of a clear privacy policy are sabotaging their own efforts to build strong and long-term on-line customer relationships.

One in seven Internet users reported that their information was used in ways they considered a breach of their privacy. 86% of these users said they were subscribed to unwanted e-mail marketing, and 43% said that their information was sold or transferred to an third party without their consent.

It is clear that the benefits of being able to develop a better understanding of current and potential customers is causing more and more companies to collect personal information on-line. However, it is also clear that there is a responsibility to respect privacy and to effectively communicate how the company is doing that, in order to continue enjoying the benefits of personal information collection in the on-line world.

P3P – An Industry Standard for Privacy?

P3P (Platform for Privacy Preferences) is a software standard sponsored by the World Wide Web Consortium (a non-profit but industry dominated body) that oversees the development of the Web. P3P supports a machine-readable language call XML for describing privacy policies and attempts to give users more control over the use of their personal information on the Web sites they visit. Web sites translate their privacy policies into P3P’s dialect, enumerating key characteristics such as whether the site tracks its users’ movements or shares data with partners. Once codified according to P3P’s rules, the policy becomes part of the computer code that makes up the Web sites’ individual pages.

By specifying their privacy preferences through a P3P-enabled Internet browser, users can rely upon their browsers to ensure their privacy concerns are respected. The browser would review a Web site's privacy policy electronically and issue the user a warning if it can't find one. Sites with practices that fall within the range of a user's preferences would be accessed "seamlessly." Otherwise, for example if a Web site wants more information than the user has indicated a willingness to disclose, the user would be notified of a site's practices and have the opportunity to agree to those terms or other terms, and continue browsing if they wish. The P3P application would thus act as a ‘privacy helper’, informing a user of a Web site's practices that differ from stated privacy preferences. In essence P3P will allow users to control their information and to tailor their relationship to specific sites…so the story goes.

Proponents of P3P are using it to justify their opposition to privacy laws, saying that the P3P approach will be far more productive than any new laws. Microsoft is building the technology into Version 6 of its Internet Explorer browser, due by year end. Because Microsoft is the lead browser provider, its decision to insert P3P into Internet Explorer could vastly broaden the technology’s reach. P3P is a modest step towards enhancing Internet privacy, however, I am skeptical as to how successful it will really be at giving users control over their personal information. Consider:

· Although P3P provides a technical mechanism for ensuring that users are informed about privacy policies before they release personal information, it obviously does not provide a method to ensure that sites act according to their policies. A standard can not impose any penalties on those that deviate from commitments being made.

· Privacy policies are inevitably complex, as will be the dozens of questions asked of users as they set up their privacy preferences. I suspect most users won’t bother to consider and configure their browser for their own needs and preferences – they will just accept the default settings. Thus, Microsoft, in deciding the default, will essentially govern the vast majority of consumers’ interactions with the Web. Microsoft is setting the default to "medium," which will, for example, block cookies from any site that doesn't have at least an "opt-out" policy. Privacy advocates want the privacy default set to "opt-in," which would block more cookies.

For the system to work, Web sites will have to code their privacy policies in the P3P format, which few currently do. AOL, IBM, RealNetworks and AT&T say they are already P3P-compliant. However others, including Amazon.com and the Disney Internet Group won’t yet say whether they will back the plan. Most large commercial Web sites are expected to adopt P3P eventually, because the latest version of Internet Explorer would not otherwise accept their cookies unless P3P was completely turned off by the user.

Individuals must have both the ability to negotiate easily over privacy rights and the entitlement to privacy as a default. P3P is the architecture to facilitate that negotiation, but regardless of how quickly or slowly P3P gains popularity, privacy laws provide the rules that say the negotiation must occur. It is unrealistic for American companies to expect that P3P can be an alternative to privacy legislation.

Visit the P3P site at http://www.w3.org/p3p.