CPS found in violation of privacy act
An adjudicator has found that the Calgary Police Service violated the Freedom of Information and Protection of Privacy Act when it accessed a civilian employee's personal email account during a workplace investigation.
A complaint was filed with the Office of the Information and Privacy Commissioner by a woman who said that the CPS collected, used and disclosed her personal information in contravention of the FOIP Act.
The complaint stems from an incident in March 2010, when the CPS' HR consultant was told by the woman's manager that several of her coworkers had made allegations about her behavior at work, including allegations of inappropriate sexual conduct.
The CPS initiated a workplace investigation and monitored the woman's computer activities for about a week and also reviewed her past work email activity.
During the investigation, the IT Manager found a personal email that the woman had sent to a family member, which included the login ID and password information for her personal web-based email account.
The IT Manager used this information to access the woman's personal account and found photographs of a sexual nature, which appeared to have been taken on CPS property.
The IT Manager copied the photographs and gave them to the woman's manager and the HR consultant.
The images were used as part of the decision to fire the woman and were also used during the subsequent grievance process.
The woman did not object to the investigation or collection of her work email but said she did not believe any employer has the right to view and access an employee's personal email account simply because the data is within the employer's email space.
The CPS IT Manager argued that the primary concern was the leaking of third party, confidential, personal information to the outside as well as the possibility that the login credentials were a way to offload information to an external contact.
Adjudicator Amanda Swanek ruled that the CPS' use of the woman's personal email login ID and password was not for the purpose of employee management, because the IT Manager had not been requested to monitor personal email accounts and that there was no evidence of wrongdoing that would justify the access of the account.
Swanek also found that logging in to the woman's personal email account was exceptionally invasive, and patently unreasonable under the circumstances.
Her investigation determined that the collection and use of the woman's photos from her personal email account could not be justified as "necessary" for the purpose of her employer's investigation, because they were found as a result of an unauthorized use of the woman's personal information.
The Adjudicator also said that there was no evidence that the IT Manager was led to the woman's personal email account because she accessed it from work or that he had reason to suspect the woman used the account to leak CPS data.
As a result of the findings, the CPS has been ordered to stop collecting personal information in this manner and must provide employees with training on the collection and use of personal information in the course of investigating employment and personnel matters.
The CPS was also order to notify the adjudicator and Complainant in writing of its compliance within 50 days of receiving a copy of the Order.
To view a copy of the Order, visit the OIPC website.