At this year’s recent GTEC, Technology In Government assembled a panel of experts to ask them the best way to implement and enforce IT user policies in view of several recent high-profile public sector cases involving IT systems abuse.
The group included Dan G. Palayew, a lawyer with
Ogilvy Renault; Kim Langford, director, road user safety application solutions, Ontario Ministry of Transportation; Tanya Quaife, vice-president of business development & government relations at BAJAI Inc.; and Lt. Col. Frances Allen, commanding officer, Canadian Forces network operations centre.
If there’s one thing the group agreed upon, it was that for IT user policies to work, users need to understand why they are in place and how they benefit them and the organization.
Portions of this transcript appear in the November issue of TIG, along with additional exclusive GTEC coverage.
TIG: How do you implement and enforce IT user policies in the public sector?
Frances Allen: Where I work we provide network situational management, which includes network management and security management for the Department of National Defence, so part of our responsibility is to ensure the systems are always available and able to provide the capability that is required by the business aspect of the department. But we also recognize that networks and systems have become like telephones, so in our IT user policy we allow that you may use that system for personal uses. So while we state they are our resources and our information, we don’t say you can’t call your mom. That provides an additional challenge to us when it comes to managing the systems because people have an assumption that they may use these systems for personal use but not necessarily have an expectation of privacy with that personal, use so we have to work within that environment as well as the fact that numbers of our internal government networks are often connected to the public and the public has a little bit of a different expectation that you can’t force upon them.
Kim Langford: There’s a balance between someone using it to pull down one music file and someone using it to send off one personal e-mail. Within the Ontario Public Service what we did was we said, “”Let’s put together a policy. Let’s not be draconian or authoritarian about it, yet let’s be serious and responsible,”” and as we started poking at it, it went a bit beyond the Internet or just e-mail. It went into workplace displacement harassment, it went into areas around sensitive information; it went into the responsibility of ownership of the employee. So what I thought I’d do today is walk you through the policy we have.
First and foremost, the policy was created across the OPS for 63,000 employees and it was a joint effort between HR at the OPS level and legal – you cannot do it without the legal aspect – and with IT. The main area of compliance is education. There is just no other way you can really get the message out. That said, we put together a fairly thick briefing for new employees when they come on, whether it’s an orientation for a new employee or a consultant doing a contract.
We walk them through an introduction where we try to remind people it is their responsibility to exercise restraint and to be aware of sensitive information and that’s probably the No.1 key point of our policy – that it’s their responsibility.
We walk them through the benefits of the training, the importance of information security and the IN/IT security for e-government, and along with that, in October 2000, the Ontario government enabled the e-government legislation where we have tried to lay out the basic tenets around e-commerce and e-transactions.
We stress this is for everyone; we go onto sensitive information and one of the things the Ontario government has done is we have embarked on a three- to five-year program to classify information, whether it’s on a high level, a medium or a low level or simply unclassified. We also talk about user education and password management, but then we get into the accepted use of the IT resource itself. You cannot use it for your personal gain, you cannot use it for entertainment or to run businesses and we all have horror stories where we found out someone was running a business on the side and using the government’s or the company’s resources to do that.
We talk a little bit about protecting the IT resources and the need to be aware of sensitive information, and we talk about the need to encrypt it.
We have a program in place whereby every employee that comes on board must sign the Public Service Act and they must be aware of the secrecy around private and sensitive information. We have training programs on that as well to help them understand you don’t leave sensitive information lying around, and that you do not pass sensitive information on to individuals who are not authorized to receive it, etc.
We provide training on the workplace harassment policies and … similar to other organizations we do monitor the traffic regularly on the network behind the scenes. If suspicious activity is flagged, the manager of that particular employee is notified and we start the investigation from that point.
The last thing is we also have numerous sites we ask employees to go to. We put this in everyone’s orientation package and we ask them to go to the OPS’s IN/IT’s security Web site for information and technology security directives and the operating procedures on the Internet and extranets. We ask them to read up on the operating procedures for using IT resources, on workplace discrimination and harassment prevention, to go to the Public Service Act, and we ask them to read the Electronic Commerce Act. And in addition to that, if they still don’t have enough information, we ask them to then contact the cluster security officer or the corporate security branch.
Our main focus with compliance is on education. We have programs where every now and then we’ll go back and refresh everyone’s education so we don’t leave it just to the employee to read it all.
TIG: BAJAI takes a different approach. Can you elaborate on that a bit?
Tanya Quaif: Usually what happens is I come in and I approach management and I’m dealing with government, so I’ve got employees on one side and HR and IT (on the other). Everybody has a different concern about how the Internet is being used – some are concerned about the content, some about privacy, some about IT security and what’s being accessed.
Because your jobs are central to the security of our information you’ve all got different concerns. Typically in IT you haven’t all had to work together and you’ve never had to ask a piece a software to step forward and implement a set of rules that are going to work together and it’s essential that you work together to build them — it keeps resentment down … because you don’t have employees saying “”why is this person paid the same as me to shop e-Bay? Why am I working twice as hard?””
Policy has obviously not addressed what’s in the workplace and I’m going to leave out porn as the big one because we all know porn doesn’t belong in the workplace. Do you get porn by accident? Typically, no. When I hear people complain about porn spam and porn popups I say in your department you’ve got people leaving cookies at porn sites.
You have to manage the content and how you use content will bring you back to how your network is managed. The biggest problem used to be porn, but now we’re looking at spyware and adware, as well as peer-to-peer. I did a federal department overall threat risk assessment. They wanted to know why their network was so busy at night. It was because everybody had Hotbar and Hotbar was using their network at night to transmit information on a peer-to-peer network. They may not have been accessing anything private, but they might have been, and nobody had any way to know.
Do you know how much traffic is travelling on a typical day, what that traffic is doing and how to control it? What is it you need your Internet management tool to do? Manage content in real time. If your employees know you have a filter up you have one of two problems – either employees that are misusing your network or a really bad filter, because they shouldn’t know it’s there. That’s how streamlined and accurate it should be. It should work with your e-mail systems and anti-virus and it should enhance your system.
User education is essential. You have to let your employees participate so they’re not resentful. But they don’t understand why you’re picking on them individually. It has to start with management explaining why you do this. You do this because you have certain rules, you want to enforce them and you want to do it with the least amount of intrusion on our daily activities. If it’s a mobile resource it has to be handled as a mobile resource. If it’s a network it has to be managed as a network and these solutions should work together.
Porn e-mails don’t come from nowhere. You have to manage from the beginning and the most unfortunate part is when you’re going backwards, when you didn’t know in the beginning you had to manage access. Employees feel like you are clawing away at them. e-Bay is a beautiful example. At a huge federal department the biggest problem they had was e-Bay. And ever since the e-Bay problem they have had a mail server problem. Why? Because although they don’t care if employees shop at lunch, what happens is someone will make a bid at lunch and someone will outbid them, so they’ll get notification. Now the e-mail server is swamped all the time. Why? Because they didn’t manage the access. You could open that access at lunch and close it down after. You could go to your e-mail server and put in a piece of software that’s going to manage the e-Bay software and say no, this is the stuff that comes with spyware and adware and cookies and all the stuff you don’t want in your network.
TIG: Dan, most of these cases don’t end up in court but some do. What are the legal aspects of this issue?
Dan Palayew: I’m on the management side so I’m often called in at the front end because this is such a hot topic to counsel employers, agencies and ministries on how to implement policies. I’m also called in at the back end when all those systems, despite all that education and training and coaching, are in place and things go wrong. I think we all understand why employers monitor – they monitor for productivity issues, for privacy protection issues, they monitor with respect to network performance in terms of bandwidth and network slowdown and most important in terms of some of the cases that have made it to the courts, they monitor because of the fear of workplace liability. There haven’t been huge awards yet here in Canada but in the U.S. there have been multi-million-dollar lawsuits and settlements and awards.
Morgan-Stanley is a good example. There was a US$20 million lawsuit with respect to racial harassment – people were sending inappropriate e-mails that had racist components and pornography. All of those can lead to employer liability under various pieces of legislation. In the federal sector under the Human Rights Act every employer has a positive duty to maintain a harassment-free and poison-free workplace. At the provincial level it’s the Ontario Human Rights Code, and health and safety legislation come into play as well in terms of an overall duty to maintain a safe and health workplace, so those are the reasons employers monitor.
The question I always get asked on the front end — and it also comes up on the back end — is, is it legal? This is what for the last few years the courts have been struggling with. The starting point for a lot of courts is the Criminal Code. Under the code, it is an offence to intercept by any electronic means a private communication. It was drafted to deal with wiretapping but it’s broad enough that it also covers electronic surveillance.
The key to that provision — and it does not apply to communications that are not private and it does not apply if one of the parties in the communications consents — is, is there a reasonable expectation of privacy?
We mentioned the Ministry of Natural Resources case, which led the headlines front and centre. It’s a very interesting case. There were six employees who were terminated. The arbitrator issued a bottom-line decision saying those employees would be reinstated with reasons to follow.
What didn’t make it into the papers and is crucial is that MNR actually disciplined 83 employees in the ministry across the province. Included in those 83 were several managers, a human resources advisor and an advisor on workplace discrimination policy. None of those were fired but some were in the Category A group that had the most serious type of pornographic material in their e-mail and on their servers and all we have right now is a bottom-line decision.
These employees were terminated in June 2001, so the decision to reinstate that was just issued this past June took three years and 43 days to get a bottom-line decision.
The message I give to employers is it’s simply not enough to have a policy. It’s what you do with it and how you educate employees.
There’s a good case in the federal sector involving the Treasury Board and Correctional Services. In that case the union claimed breach of privacy, not under PIPEDA, the federal privacy legislation, but under Section 8 of the Canadian Charter of Rights. But what Correctional Services showed in the case was they had all these policies in place, that they provided four reminders of the policy in the past year and that every time an employee logs onto the system there was a login warning where you had to click an OK saying, this is our equipment, don’t abuse it, if you abuse it bad things will happen to you; if you agree, press OK.
The employees if they’re doing all that can’t say they didn’t know about it. They tried that in the MNR case and the arbitrator said, “”No, you knew about it, or if not, you ought to have, and in this day and age people know porn is not OK in the workplace.””
The board said it must also be said Correctional Services is an employer that must always strive for public confidence and respect. The activities engaged in by the employees only detract from that objective, and I think that’s something that’s unique in the public sector with respect to why we monitor.
I think part of the reason the MNR case got as much attention as it did was because it was the MNR; because it was public sector it makes it more newsworthy.
TIG: To what extent does the fact that public sector environments are unionized complicate the issue?
FA: I don’t know of any specific issues that have been brought forward by the union or by management to the union with respect to that. From our perspective we have four different uses: official, authorized (not for official business but for personal use that is a reasonable duration); unauthorized, which causes discredit to the department or is for personal gain; and prohibited use, which violates a federal statute or provincial statute.
For CF military members (who breach the policy) they recommend administrative action, which is generally counselling and probation for unauthorized use. For prohibited use that’s where disciplinary measures kick in. For public service members disciplinary measures is the route that is pursued, primarily because our administrative measures within the Canadian Forces are similar to the first steps of disciplinary measures such as a verbal or written warning for public service members. We’ve tried to categorize the process for members of the public service and to my knowledge we don’t have any union opposition to it.
KL: There is a very good reason why we have so many different policies in place and every one of them has one or two clauses that say it is your responsibility, you have taken an oath and a vow to the public service that no resources or information are to be used for anything but business purposes. It’s very clear if you are in the government and you are using government resources it can only be for government business purposes. It allows us to circumvent the Privacy Act. One of my opening comments was there is a fine balance between enforcing what it is you believe in and letting employees have freedom, because you do not want to be a police state, you don’t want to be draconian. and no matter how you look at it, in the OPS when you have 63,000 employees, someone somewhere is going to send something out. Do you want to say, “”You weren’t allowed to do that and now we’re going to hold you up in front of everyone?”” No. It’s not reasonable and it doesn’t make sense. It’s really when someone is abusing the policies and it becomes clear they’re abusing them that the policies come into play. If someone is sending out one personal e-mail that’s a different story.
TQ: I’m of the belief it’s best not to be draconian with this and I’ve seen people lock the place down and it just doesn’t work. You need to find a balance and you need to work together. If you’re paying attention to your network you’ll see if someone is abusing e-mail. The less stuff you document the better. If you can just stop them from going to a porn site, stop them from getting a virus, that’s better than monitoring.
DP: It’s a management right to implement these policies. We haven’t seen any union grievances over the implementation of these policies. From a practical point of view, though, the MNR case took 43 days of hearings. That’s not going to happen in the private sector. You’re not going to be able to afford to go to court for 43 days. In the private sector employers settle through mediation, they settle upon discovery; they do not go to court. What a union does is it has the resources to bring these arguments forward over these lengthy multi-day cases, so that’s how unions complicate it if you will because they have the resources. A lot of these cases, not surprisingly, are in the public sector, not in the private sector. A lot of the privacy cases under PIPEDA come from CNR cases, CP cases. The unions bring these resources to bear because they’re very expensive and time-consuming to litigate. In terms of where I see this going it’s interesting because while these issues are starting to make their way up from the arbitrators to the courts so far at least there are a couple of recent cases. There’s one from Alberta where the union made a privacy argument and the court said there is no reasonable expectation of privacy in Ontario and that the reasonable expectation of privacy was a legal fiction invented by arbitrators to correct a perceived power imbalance.
I think it’s a veritable explosion in this area of the law and I can’t really predict where it’s going to go, other than to say it’s going to be a mess for a few years to come and it’s going to be very litigious.
TQ: Which is a big change. It used to be in the public sector that they’d walk you to the door and say, “”If you don’t tell we won’t tell.”” That was common in the public sector.
KL: I would add that in the OPS every IT solution that goes forward has to go through a privacy impact analysis. When we joined the civil service we’re certainly didn’t do it for money. But being a civil servant carries with it a responsibility to the citizens you’re there for. In government is it different from the private sector? Absolutely. Let’s not kid ourselves. We have a responsibility to demonstrate that we are upholding the values around privacy so our integrity is intact and we aren’t in the next media story tomorrow talking about how we goofed up one more time.