Ottawa

Right to privacy: Are you protected when using your work phone?

Legal experts highlight important privacy issues in the wake of Radio-Canada’s story on the use of data-extracting tools on government-issued phones and computers.

Legal experts weigh in on use of data-extraction tools by federal departments

A close-up of someone typing on a cell phone.
In November, a Radio-Canada report revealed that at least 13 federal departments and agencies use tools or software that can recover even encrypted and password-protected data found on computers, tablets and mobile phones. (Sean Kilpatrick/The Canadian Press)

Employees in both the private and public sectors in Canada have rights regarding the protection of their personal information, even when they use devices that belong to their employer, say legal experts consulted by Radio-Canada.

In November, a Radio-Canada report revealed that at least 13 federal departments and agencies use tools or software that can recover even encrypted and password-protected data found on computers, tablets and mobile phones.

These can include text messages, emails, photos and travel history. Certain software can also access a user's cloud-based data and reveal their internet search history, deleted content and social media activity.

A parliamentary committee will be looking into the federal department's use of these instruments starting Thursday.

The right to privacy

Many departments say they utilize these tools and software for investigations into alleged violations of various laws, and only after obtaining a search warrant.

But others say they also use them without a warrant on government-issued devices — when employees are suspected of wrongdoing such as harassment or false overtime claims, for example.

One needs to ensure that the collection of this data is absolutely necessary.- Pierre-Luc Déziel, Laval University

"An employee will maintain a reasonable expectation of privacy with regard to their data, even when they use a device that is provided and administered by their employer, who remains the owner of this shell, if you will," Pierre-Luc Déziel, a professor of law at Laval University who specializes in privacy protection, told Radio-Canada in French.

When it comes to privacy, Canadian law distinguishes between the device and the personal information it holds, Déziel explained.

"Just because an employee does not own the device — the tablet, the phone, the computer, whatever — does not mean that their privacy rights with respect to the data that is contained in this device are completely extinguished." 

An upper body portrait of a bearded man wearing a suit jacket and tie.
Pierre-Luc Déziel is a professor of law at Laval University who specializes in privacy protection. (Université Laval)

Éloïse Gratton, a partner at Borden Ladner Gervais who leads the law firm's privacy and data protection practice, offered a similar observation.

"Whether in the public sector or the private sector, the employer does not have free play. The employee has certain privacy rights, even in the workplace or in a work context," Gratton said in French.

However, that protection may be diminished depending on the nature of the work, she said.

"If the employee works in an industry, whether in the public or private sector, where there are a lot of national security issues, for example, it would be more acceptable to carry out some surveillance or use data-extracting tools to ensure public safety."

Internal investigations

Shared Services Canada (SSC) is among the federal institutions that uses data-extraction instruments for internal investigations. The agency provided additional information to Radio-Canada after the initial article was published in November.

"Examples of such investigations include when there is suspected inappropriate website browsing, a malicious software installed on a device, or a suspected false claim of overtime," the agency said.

"Digital forensics tools are exclusively used on government-issued devices and in very specific and limited circumstances."

The department said it has used these tools six times over the last two years.

The stern of a Fisheries and Oceans Canada vessel docked with a helicopter and crew on the deck.
Fisheries and Oceans Canada said it uses the tools for internal investigations 'involving government policy violations, such as fraud or workplace harassment.' In such cases 'no judicial authorization is required, because the data belongs to the department,' the department said. (Charles-Étienne Drouin/Radio-Canada)

Fisheries and Oceans Canada also said it uses the tools for internal investigations "involving government policy violations, such as fraud or workplace harassment."

In those cases "no judicial authorization is required, because the data belongs to the department," it said.

The tools are also used to maintain computer network integrity, according to various federal departments.

Black text on a blue background about Health Canada using a data-extraction tool in what it says was 'a limited capacity' from 2016 to 2021.

Gratton and Déziel both say an employee's expectation to privacy is augmented if their employer allows them to use their work phone or computer for personal purposes.

Personal use of government of Canada devices and networks is allowed if conducted on personal time and if it's not done for financial gain, does not incur additional costs for the department and does not interfere with its conduct of business.

Making personal travel arrangements, buying products online, paying bills, banking, contributing to discussion groups and updating a personal blog are some of the examples listed as acceptable personal use by the federal government's "directive on service and digital."

The directive also states that employees who choose to store their personal information on a government network or its equipment do so at their own risk.

4 questions for employers

The use of potentially intrusive technology on employees' phones or computers may be permitted in certain circumstances, according to the two legal experts.

But they add that an employer should ask themselves four essential questions before they allow such use, to ensure that it complies with Canadian law:

  1. Is there a specific and legitimate problem to resolve? (In the absence of a specific and legitimate problem, privacy violations are difficult to justify.)
  2. Is the chosen tool effective in solving the problem?
  3. Is the invasion of the employee's privacy proportional to the objective being pursued?
  4. Are there less intrusive ways to achieve the same ends?

"Retrieving almost all of the data or history of a device is a very significant form of invasion of privacy," Déziel said. "So the objective must also be very important. One needs to ensure that the collection of this data is absolutely necessary."

It's not known what data the federal institutions retrieved from the targeted devices.

A head and shoulders portrait of a smiling woman with dark hair who's wearing a shiny green blouse.
Éloïse Gratton is a partner at Borden Ladner Gervais where she leads the law firm's privacy and data protection practice. (Submitted by Éloïse Gratton)

No impact assessments performed

A federal directive requires that all departments carry out a privacy impact assessment prior to any new activity that involves the collection or handling of personal information.

According to their written responses to Radio-Canada, no department did so before using data-extracting tools, but they say they acted in accordance with a series of legal requirements.

"The President of Shared Service Canada (SSC) is authorized under the Financial Administration Act to conduct these investigations at the request of SSC's Chief Security Officer," the agency wrote. 

"These investigations comply with the Policy on Government Security and are conducted in a secure, isolated SSC forensic lab."

An out-of-focus person is seen in a room filled with computers.
A federal directive requires that all departments carry out a privacy impact assessment prior to any new activity that involves the collection or handling of personal information. (Oleksiy Mark/Shutterstock)

SSC said the lab is not internet-accessible and the data is only transmitted to its chief security officer.

Fisheries and Oceans Canada also said its internal investigations "are based on policies and procedures delegated by the Chief Security Officer." Personal information is kept in "isolated laboratories" and in compliance with the Privacy Act, the department said.

Gratton said it's good practice to have security measures in place to protect the seized personal information, but she insists on the need for an employer to check at the outset whether the means used to obtain such data is justified.

ABOUT THE AUTHOR

Brigitte Bureau is an award-winning investigative reporter with Radio-Canada. You can reach her by email: brigitte.bureau@radio-canada.ca.