Sowbug: Cyber espionage group targets South American and Southeast Asian governments

Group uses custom Felismus malware and has a particular interest in South American foreign policy.続きを読む

Group uses custom Felismus malware and has a particular interest in South American foreign policy.

続きを読む

Sowbug: Cyber espionage group targets South American and Southeast Asian governments

Group uses custom Felismus malware and has a particular interest in South American foreign policy.続きを読む

Group uses custom Felismus malware and has a particular interest in South American foreign policy.

続きを読む

Workplace Performance Concerns Lead to Privacy Violation

A recent Order of the Office of the Information and Privacy Commission of Alberta (OIPC) provides guidance on potential privacy traps when managing performance issues in the workplace.
Two coworkers of the complainant were concerned about the complaina…

A recent Order of the Office of the Information and Privacy Commission of Alberta (OIPC) provides guidance on potential privacy traps when managing performance issues in the workplace.

Two coworkers of the complainant were concerned about the complainant’s workplace performance. The reasons are opaque but there may have been health issues such as substance abuse requiring rehabilitation. The coworkers who were friends of the complainant emailed and texted the parents of the complainant. At least one of the coworkers also provided information to the employer apparently at the request of the employer.

Ultimately, the adjudicator concluded that the coworkers were acting in a personal capacity when communicating with the parents (this was more by luck than design in one case). But, the employer was found to have violated the Alberta Personal Information Protection Act (PIPA) by failing to have a policy or otherwise notifying the complainant on the circumstances in which it might collect performance-related personal information from coworkers.

Were the communications to the parents in the course of employment?

If the coworkers communicated personal information about the complainant to her parents, this would have violated PIPA, as a disclosure without consent. The organization argued that the coworkers were not acting on behalf of the employer when they wrote to the complainant’s parents and disclosed information about her performance at work and their concerns about the complainant’s personal life. One of the emails was sent using the coworker’s work email address. However, the adjudicator concluded that this was not determinative since the coworker said that she was writing from that email account so that it would appear legitimate and provided her personal email account address as contact information.

The text messages were more complicated. The coworker sending those messages initially conveyed personal information about the complainant. However, in subsequent messages, this coworker relayed information about the steps the employer intended to take to address the complainant’s work performance and that the employer wanted to arrange a meeting with the complainant, the complainant’s mother and the coworkers. Ultimately the adjudicator concluded that the personal information that was disclosed in the text messages was done in the context as a friend of the coworker and not as a representative of the employer. As for the subsequent texts, the adjudicator concluded it was possible that the coworker was acting as an employee of the employer (with or without authority) but at that point the discussions were about a meeting and did not reveal further personal information.

Was providing the information to the employer done in the course of employment?

The adjudicator accepted that a coworker might provide personal information about another employee in their personal capacity rather than in the course of their employment. The adjudicator concluded that the key issue was the circumstances in which the information was provided. The adjudicator concluded that “[w]hen the information is provided in the workplace, and especially where it is solicited by someone in the organization that has the ability to deal with performance issues (as the employer does here), it seems to be reasonable to assume that the information is being provided as an employee, and not in a personal capacity.”

Did the employer violate the complainant’s privacy?

The adjudicator accepted that the complainant’s personal information at issue was information that would be useful in managing the employment relationship with the complainant and, therefore, the information was employee personal information. This was significant because there is more latitude to use and disclose employee personal information without consent. However, in order to use or disclose employee personal information without consent, the employer must provide reasonable notice to the individual. The notification must be given before the information is used and disclosed.

The adjudicator accepted that reasonable notice could include a policy on how an organization deals with performance or disciplinary issues or when feedback may be requested from coworkers, provided the policy was brought to the attention of employees. Alternatively, in this case, the employer could have approached the complainant first to discuss the performance concerns and advising the complainant that the employer may need to seek input from the coworkers. The employer failed to do so.

Key Takeaways

Employers should make sure that employee privacy policies or codes of conduct contain explicit reference to the need to gather information from coworkers in some cases in order to manage performance issues and how the employer will respond to unsolicited performance concerns by coworkers. This case did not involve an investigation into a harassment or other violation and so the exceptions for investigations did not apply.

This case also provides another reason to educate employees on obligations under personal information legislation. One could easily imagine other scenarios in which well-intentioned employees may be found to be acting in the course of their employment when communicating with family members or other friends of a coworker.