Is Canada a surveillance society? It’s a good question, as there is a trend in North America towards increased surveillance of citizens.
Sometimes, the judicious use of surveillance technologies is intended to protect the public safety. Other times, surveillance is employed to provide rewards for customers who use certain products or services (yes Virginia, loyalty cards are a surveillance technology). Surveillance also assumes many other forms.
Sometimes these intrusions into our personal lives are justified and do not violate an individual’s right to privacy, especially if data protection principles are employed.
There is another form of surveillance that I find more troubling – that of monitoring employee Internet access and e-mail traffic. This is being done ostensibly to ensure that the system is being used for employment-related reasons, to conserve information technology resources, and to detect unlawful use of the system.
Employee surveillance is unquestionably intrusive and once initiated, it will erode employee trust and productivity. Employees will become less willing to voluntarily go the extra mile to provide good customer service or exceed the demands of the job. If surveillance erodes employee trust and loyalty, the best employees will go elsewhere.
I am not suggesting that an employer should turn a blind eye to illegal activity or to misuse of company resources. However, I am suggesting that management can use techniques that are more appropriate (including surveillance or advising the authorities) to deal with a specific problem instead of subjecting everyone to surveillance. The key here is to employ remedial action judiciously when there is a problem and to do so in a manner that is consistent with established privacy principles.
Another misapplication of surveillance is the inferential misuse of the information. For example, an individual may be using employer-sponsored Internet access to research university papers on HIV and AIDS, substance abuse or domestic violence. With knowledge of the Internet sites visited by that individual, some unenlightened soul will begin to spread rumours that the individual is somehow personally touched by one of these situations. It’s a “Let’s not let accuracy get in the way of a good rumour” approach.
Employers that are contemplating surveillance of e-mail need to consider the wire tap provisions of the Criminal Code. In a 1998 technology briefing, the Canadian law firm of Osler, Hoskin and Harcourt advised readers that “section 184 of the Criminal Code prohibits the use of ‘any electro-magnetic, acoustic, mechanical or other device’ to wilfully ‘intercept a private communication.'” (http://ohh1.osler.com/Publications/Technology/tb_brief.htm#11)
Employers choosing to proceed with surveillance should remove employee-expectations of privacy by implementing a corporate Internet and e-mail acceptable use policy (AUP).
But irrespective of the company’s AUP, I believe there are situations where there remains a reasonable expectation of confidentiality. Every organization has positions wherein the employee or the public expects confidentiality. Many government organizations have one or more individuals who are responsible for processing sensitive requests under their freedom of information and protection of privacy legislation, for example. Law enforcement organizations receive complaints from confidential sources.
Many organizations have peer counsellors who advise others on workplace harassment and discrimination matters. Employees are usually advised that these peer counsellors can be approached on a confidential basis. I can think of no situation where the company’s need to manage infrastructure would outweigh an individual’s right to privacy in these or similar situations.
E-mail and Internet surveillance is a management issue with legal, ethical and technological implications. Employers and technology managers must consider all facets of the issue before a decision is made to monitor e-mail and Internet usage.
Boufford, I.S.P., is president of e-Privacy Management Systems, a consulting firm specializing in privacy and information technology. He can be reached at firstname.lastname@example.org.