Right to privacy: Are you protected when using your work phone?

Employees in both the private and public sectors in Canada have rights regarding the protection of their personal information, even when they use devices that belong to their employer, say legal expertsconsulted by Radio-Canada.

In November, aRadio-Canada report revealedthat at least 13 federal departments and agencies use tools or software that can recover even encrypted and password-protected data found on computers, tablets and mobile phones.

Thesecan include text messages, emails, photos and travel history.Certain software can also access a user's cloud-based data andreveal their internet search history, deleted content and social media activity.

A parliamentary committee will be looking into the federal department's use of these instruments starting Thursday.

The right to privacy

Many departments say they utilize these tools and software for investigations into alleged violations of various laws, and only after obtaining a search warrant.

But others say they also use them without a warrant on government-issued devices when employees are suspected of wrongdoingsuch as harassment or false overtime claims, for example.

One needs to ensure that the collection of this data is absolutely necessary.- Pierre-Luc Dziel, Laval University

"An employee will maintain a reasonable expectation of privacy with regard to their data, even when they use a device that is provided and administered by their employer, who remains the owner of this shell, if you will," Pierre-Luc Dziel, a professor of law at Laval University who specializes in privacy protection, told Radio-Canada in French.

When it comes to privacy, Canadian law distinguishes between the device and the personal information it holds, Dziel explained.

"Just because an employee does not own the devicethe tablet, the phone, the computer, whateverdoes not mean that their privacy rights with respect to the data that is contained in this device are completely extinguished."

lose Gratton, a partner atBorden Ladner Gervaiswho leads the law firm's privacy and data protection practice,offered a similar observation.

"Whether in the public sector or the private sector, the employer does not have free play. The employee has certain privacy rights, even in the workplace or in a work context," Gratton said in French.

However, that protection may be diminished depending on the nature of the work, she said.

"If the employee works in an industry, whether in the public or private sector, where there are a lot of national security issues, for example, it would be more acceptable to carry out some surveillance or use data-extracting tools to ensure public safety."

Internal investigations

Shared Services Canada (SSC) is among the federal institutions that uses data-extraction instruments for internal investigations. The agency provided additional information to Radio-Canada after the initial article was published in November.

• Tools capable of extracting personal data from phones being used by 13 federal departments, documents show

"Examples of such investigations include when there is suspected inappropriate website browsing, a malicious software installed on a device, or a suspected false claim of overtime,"the agency said.

"Digital forensics tools are exclusively used on government-issued devices and in very specific and limited circumstances."

The department said it has used these tools six times over the last two years.

Fisheries and Oceans Canada also said it uses thetools for internal investigations "involving government policy violations, such as fraud or workplace harassment."

In those cases"no judicial authorization is required, because the data belongs to the department," it said.

The tools are also used to maintain computer network integrity, according to variousfederal departments.

Gratton and Dziel both say an employee'sexpectationto privacy is augmented if their employer allows them to use their work phone or computer for personal purposes.

Personal use of government of Canada devices and networks is allowed if conducted on personal time and if it's not done for financial gain, does not incur additional costs for the department and does not interfere with its conduct of business.

Making personal travel arrangements, buying products online, paying bills, banking, contributing to discussion groups and updating a personal blog are some of the examples listed as acceptable personal use bythe federal government's "directive on service and digital."

The directive also states that employees who choose to store their personal information on a government network or its equipment do so at their own risk.

4 questions for employers

The use of potentially intrusive technology on employees' phones or computers may be permitted in certain circumstances, according to the two legal experts.

But they add that an employer should ask themselves fouressentialquestions before they allow such use, to ensure that it complieswith Canadian law:

1. Is there a specific and legitimate problem to resolve? (In the absence of a specific and legitimate problem, privacy violations are difficult to justify.)
2. Is the chosen tool effective in solving the problem?
3. Is the invasion of the employee's privacy proportional to the objective being pursued?
4. Are there less intrusive ways to achieve the same ends?

"Retrieving almost all of the data or history of a device is a very significant form of invasion of privacy,"Dzielsaid. "So the objective must also be very important. One needs to ensure that the collection of this data is absolutely necessary."

It's not knownwhat data the federal institutions retrievedfrom the targeted devices.

No impact assessments performed

A federal directive requires that all departments carry out a privacy impact assessment prior to any new activity that involves the collection or handling of personal information.

• BQ calls for study into use of tools capable of extracting data from phones
• Parliamentary committee to study federal departments' use of tools to extract personal data

According to their written responses to Radio-Canada, no department did so before using data-extracting tools, but they say they acted in accordance with a series of legal requirements.

"The President of Shared Service Canada (SSC)is authorized under the Financial Administration Act to conduct these investigations at the request of SSC's Chief Security Officer,"the agency wrote.

"These investigations comply with the Policy on Government Security and are conducted in a secure, isolated SSC forensic lab."

SSCsaidthe lab is notinternet-accessible and the data is only transmitted to its chief security officer.

Fisheries and Oceans Canada also saidits internal investigations "are based on policies and procedures delegated by the Chief Security Officer." Personal information is kept in "isolated laboratories" and in compliance with the Privacy Act, the department said.

Gratton saidit's good practice to have security measures in place to protect the seized personal information, but she insists on the need for an employer to checkat the outsetwhether the means used to obtain suchdatais justified.