At least thirteen federal agencies and departments use tools or software capable of extracting data from electronic devices such as phones and computers.
Brigitte Bureau (View profile)Brigitte Bureau
Voice synthesis, based on artificial intelligence, makes it possible to generate spoken text from written text.
Lawyers raise important issues regarding privacy, following revelations from Radio-Canada on the federal use of tools to recover data from electronic devices, especially when public officials are suspected of misconduct.
Employees both in the private sector The public have rights regarding the protection of personal information, even when they use devices that belong to their employer, say experts consulted by Radio-Canada.
A Radio-Canada report revealed in November that at least thirteen federal agencies and departments use tools or software capable of extracting data – even encrypted and protected by passwords. – found in smartphones, computers or tablets.
This may include emails, text messages, photos and travel history. Certain software can also access a user's computer cloud and trace their Internet searches, deleted content and activities on social networks.
As of February 1, 2024, a parliamentary committee will examine the use of these instruments at the federal level.
Several departments say they use these tools or software for investigations into alleged violations of various laws and only after obtaining a search warrant.
But others say they also use them without a warrant on government-provided devices, for example when officials are suspected of wrongdoing, such as harassment or false reporting overtime.
An employee will maintain a reasonable expectation of privacy with regard to his data, even when he uses a device that is provided and processed by his employer who remains the owner of this shell, if you will. , says Pierre-Luc Déziel, professor of law at Laval University and specialist in the protection of the right to privacy.
Open in full screen mode
Pierre-Luc Déziel is a law professor at Laval University and specialist in protection of the right to privacy.
He explains that when it comes to privacy, Canadian law distinguishes between the device and the personal information that are there.
It's not because a employee does not own the device, tablet, phone, computer, whatever, as their right to privacy with respect to the data contained therein in this device is completely turned off, said the professor.
Same observation from lawyer Éloïse Gratton, partner at BLG where she leads the national Privacy and Protection of Personal Information practice group.
Whether in the public or private sector, the employer does not have free rein. The employee has certain privacy rights, even at the workplace or in a work context.
A quote from Éloïse Gratton, lawyer in privacy law
The lawyer however specifies that this protection may be reduced depending on the nature of the employment.
Open in full screen mode
Lawyer Éloïse Gratton is a partner at BLG firm where she leads the national Privacy and Protection of Personal Information practice group.
It is certain that if the employee works in an industry, whether in the public or private sector, where there are a lot of national security issues for example, it would be more acceptable to do some surveillance or use data extraction tools to ensure public safety, Ms. Gratton said.
Shared Services Canada is one of the federal institutions that uses data extraction tools for internal investigations. The agency provided additional information to Radio-Canada after the initial article was published in November.
Examples of investigations include suspicion of inappropriate web browsing, installation of malware on a device, or suspicion of false overtime reporting, the agency says.
Open in full screen mode
Some federal institutions, such as Shared Services Canada, say they use data extraction tools during investigations when officials are suspected of misconduct or to maintain the integrity of computer networks.
It specifies that digital forensic investigation tools are used exclusively on government-issued devices and in very specific and limited circumstances.
Shared Services claims to have used it six times over the past two years.
The Department of Fisheries and Oceans also says it uses it for internal investigations into violations of Government of Canada policies, such as fraud or harassment in the workplace.
No judicial authorization is required, because the data belongs to the ministry, says the ministry.
Open in full screen mode
Fisheries and Oceans is one of the departments that uses data extraction tools to conduct, among other things, internal investigations when public servants are suspected of fraud or harassment in the workplace, for example.
These tools are also used to ensure the integrity of government computer networks, supporting various federal institutions .
Initially, Health Canada claimed to have never used the data extraction tool that he acquired it in 2016. However, the ministry corrected the situation after it was pointed out that his name appeared in more recent contracts.
The tool was used by Health Canada in a limited capacity to assist in investigations between 2016 and 2021, the department acknowledged, while declining to say for what purposes.
For security and confidentiality reasons, we cannot discuss specific cases, says the ministry, which says it no longer uses it.
Lawyer Éloïse Gratton and law professor Pierre-Luc Déziel agree that expectations regarding the Employee privacy is increased when employers allow employees to use their work phones or computers for personal purposes.
At the federal level, personal use of Government of Canada devices and networks is permitted during the employee's personal time, if this activity has no financial purpose and does not incur any costs. additional for the ministry and does not harm the work of the institution.
Organize a trip as personal use, carrying out banking transactions, making online purchases, participating in discussion groups and maintaining a blog are among the examples of acceptable personal use cited in the Federal Directive on Services and Digital.< /p>
This directive also states that employees who decide to retain their personal information on government networks or devices do so at their own risk.
In certain circumstances, the use of potentially intrusive technologies in telephones or employee computers may be permitted, according to the two lawyers.
But they explain that an employer should ask itself four main questions before deploying them, to ensure it complies with Canadian law.
A four-question test for employers:
Is there a specific and legitimate problem to be resolved? (In the absence of a specific and legitimate problem, violations of privacy are difficult to justify.)
Is the chosen tool effective in resolving this problem?
Is the invasion of the employee's privacy proportional to the importance of the objective pursued?< /li>
Are there less intrusive ways to achieve the same ends?
Retrieving almost all of the data or history of a device is a form of invasion of privacy which is very important, says Mr. Déziel. So the objective must also be very important. We should really ensure that this collection is absolutely necessary, he said.
The institutions have not specified what data they retrieve from targeted devices.
A federal directive requires departments to carry out a privacy impact assessment, before implementing any new activity that involves the collection or processing of personal information.
According to the ministries' written responses to our questions, none of them carried out such an assessment before using data extraction tools.
But they say they act in compliance with a series of legal requirements.
Open in full screen mode
At least 13 federal government departments and agencies use data mining tools to conduct different types of investigations.
The President of Shared Services Canada (SSC) is authorized under the Financial Administration Act to conduct these investigations following the request of the Chief Security Officer of SSC, writes l' ;agency.
Investigations comply with the Government Security Policy and are carried out in a secure and isolated forensic laboratory, she said. Shared Services adds that the laboratory is not accessible from the Internet and that data is only transmitted to the Chief Security Officer.
The Department of Fisheries and Oceans also claims that its internal investigations are based on policies and procedures delegated by the head of security. He adds that personal information is kept in isolated laboratories and in compliance, among other things, with the Personal Information Protection Act.
Lawyer Gratton says that putting security measures in place to keep the personal information captured is a good practice. But it recalls the need for an employer to check, at the outset, whether the means used to obtain this information is justified.
Brigitte Bureau (View profile)Brigitte BureauFollow
Teilor Stone has been a reporter on the news desk since 2013. Before that she wrote about young adolescence and family dynamics for Styles and was the legal affairs correspondent for the Metro desk. Before joining Thesaxon , Teilor Stone worked as a staff writer at the Village Voice and a freelancer for Newsday, The Wall Street Journal, GQ and Mirabella. To get in touch, contact me through my teilor@nizhtimes.com 1-800-268-7116
