Monday, April 30, 2012

Alberta Commissioner faults Calgary police employee for logging into colleague's personal e-mail account

The Office of the Information and Privacy Commissioner of Alberta has found that a civilian employee violated the province's public sector privacy law by logging into a police service employee's personal e-mail account.

Here's a summary of ORDER F2012-07 [PDF], made against the Calgary Police Service:

Summary: The Complainant was a civilian employee with the Calgary Police Service (“Public Body”). In March 2010, the Public Body’s HR consultant was informed by the Complainant’s manager that several of the Complainant’s coworkers had made allegations about the Complainant’s behavior at work, including allegations of inappropriate sexual conduct.

The Public Body began to monitor the Complainant’s computer activities, as well as reviewing her past work email activity. While reviewing her work email, the IT Security Manager (“IT Manager”) found a personal email that the Complainant had sent to a family member, which included the login ID and password information for the Complainant’s personal web-based email account. The IT Manager used this information to access the Complainant’s personal email account and found photographs of a sexual nature, which appeared to have been taken on the Public Body’s premises. The IT Manager copied these photographs, and provided them to the Complainant’s manager and the HR consultant. These photographs were used in the Public Body’s decision to terminate the Complainant’s employment, and were also used by the Public Body during the subsequent grievance process.

The Complainant made a complaint to this office, stating that the Public Body collected, used, and disclosed her personal information in contravention of Part 2 of the Freedom of Information and Protection of Privacy Act (“FOIP Act”). Specifically, the Complainant objected to the Public Body accessing her personal email account, and the subsequent collection, use, and disclosure of photographs found by the Public Body in that email account.

The Public Body argued that the collection of the Complainant’s personal information occurred during the course of investigating the allegations of workplace misconduct against the Complainant, and that the subsequent use and disclosure of the photographs found in the Complainant’s personal email account were for the same purpose as they were collected.

The Adjudicator found that the Public Body collected the Complainant’s login ID and password to her personal email account in the course of reviewing the Complainant’s work email, to which the Complainant did not object. However, Adjudicator found that the use of the Complainant’s personal email login ID to access the Complainant’s personal email was not for the purpose of employee management, since the IT Manager had not been requested to monitor the Complainant’s personal email, rather only her work email. There was also no evidence of wrongdoing that would justify accessing a personal email account. The Adjudicator also noted that even were the use of the Complainant’s personal information for the purpose of the workplace investigation, a Public Body may only use personal information to the extent necessary to carry out its purposes in a reasonable manner; logging in to the Complainant’s personal web-based email account was exceptionally invasive, and patently unreasonable in the circumstances.

The Adjudicator found that the collection of the photographs from the Complainant’s personal email account could not be considered separately from the fact that they were collected from the Complainant’s personal email account. Because the photographs, even if relevant to the workplace investigation, were found as a result of an unauthorized use of personal information, their collection and subsequent use could not be justified as “necessary” for the purpose of the Public Body’s investigation.

The Adjudicator determined that the Complainant’s personal information was not disclosed to, but rather used by, various employees of the Public Body. The Adjudicator had already determined that the use was not authorized under the Act, but found that even if the personal information had been disclosed to the employees, the disclosure would not have been authorized, for similar reasons.

1 comment:

Chris said...

Further proof that emailing credentials sounds a good idea...