Breach of privacy case holds lessons for IT departments

An Ontario court judgment last week, which found it intrusive when police probed a high school teacher’s work PC without a warrant, holds certain implications for IT departments that must lay down guidelines for employee use of corporate equipment.

The court ruling, related to a Northern Ontario high school teacher charged with owning child pornography, is that the police’s decision to copy the entire contents of the hard drive without a warrant infringed upon the teacher’s right to privacy.

One IT leader thinks the court judgment illustrates an interesting balancing act. The chief information officer at Northwest Community College in Terrace, B.C., Dave O’Leary, is tasked with ensuring operational standards are published and distributed to all employees regarding computer use.

“That’s something we take very seriously and we’re very thoughtful and considerate of,” said O’Leary of the privacy of individuals and their information.

O’Leary said there has been a significant increase of activity related to citizen privacy in British Columbia. Yet, he added, his school’s corporate IT equipment usage policies state very clearly that “anything that’s kept in any form on our equipment is available for scrutiny within the college.”

For instance, just last week, O’Leary said his IT department staff took it upon themselves to investigate a similar aberration where huge amounts of data were travelling back and forth between two corporate machines. “Our policy said we are allowed to do that,” said O’Leary.

The verbiage used in Northwest Community College’s guidelines for corporate machine use is something along the lines of it being prohibited to access anything illegal or that employees cannot contravene legislation.

“They are broad statements but designed to let people know, ‘Don’t put stuff on there that you don’t want other people to see,’” said O’Leary.

As for the lack of warrant, O’Leary said his IT department has the responsibility to alert police when illegal activity is suspected, but citizens must be seen to be free from unreasonable search and seizure. “I would expect police to operate legally as well,” he said.

“It’s a level of growing complexity for CIOs across the country I would suggest,” said O’Leary.

Michael Iseyemi, in charge of IT security at Minacs Aditya Birla, a Toronto-based global outsourcer, believes there must be equal attention paid to corporate machine ownership by an employer and proper legal steps taken by police authorities.

“It’s a combination approach,” said the chief security officer.

At Minacs Aditya Birla, the employer owns and has the right to monitor all IT systems used by staff. “Every single employee has signed off on that and there is the expectation of very little privacy on company’s network and equipment as well,” said Iseyemi.

As with O’Leary, Iseyemi, too, believes there still must be a warrant involved in any search of corporate machines. From an investigative standpoint, it’s necessary for chain of custody and preservation of evidence, said Iseyemi.

Follow Kathleen Lau on Twitter: @KathleenLau  

Related Download
A Guide to Print Security for Canadian Organizations Sponsor: HP
A Guide to Print Security for Canadian Organizations
IT security vulnerabilities are a growing cause for concern for organizations trying to protect their data from printer breaches.
Register Now