1

REPORT TO

CHIEF ADMISTRATIVE OFFICER

DISTRICT OF SAANICH

EXCERPT FROM CONFIDENTIAL PERSONNEL REPORT

By Brian Simmons, Labour Relations Consultant

June 20, 2015

Review of the actions of staff with respect to any possible

breaches of policy or general conduct SUMMARY OF FINDINGS OF FACT

1. Finding The Decision to install Employee monitoring software was made within the proper authority of the District CAO.

2. Finding A decision to increase security due to a new incoming Mayor was reactive and may have pre-empted greater discussion on privacy matters.

3. Finding The facts are not in dispute that there was very little discussion about the decision to go ahead with the forensic auditing software. It is likely that greater discussion may have avoided some unforeseen errors.

4. Finding I share a conclusion found by the OIPC Report that there was a level of Information & Privacy awareness lacking in the culture of the District.

5. Finding Given the short turnaround time to secure software, the IT staff completed the task professionally and were able to meet the forensic audit objectives.

6. Finding There is not sufficient evidence to make a conclusive finding whether the

Network Access Form was given to the Mayor or not.

7. Finding As pointed out by the OIPC, it was an oversight to not notify the Mayor

and employees of the type of monitoring software being installed; this was

consistent with the Districts reliance upon an outdated policy that set out a

different understanding than the OIPC. The error was common to the CAO and

Directors.

8. Finding Pursuant to the OIPC, the Commissioner found that when an employee

raised some privacy concerns the District relied upon an outdated policy to allow

the software installation. That authority came from the CAO.

9. Finding The release from the OIPC infers that there exists some ambiguity in

the Districts January 14, 2015 press release but I am not aware of any evidence

that lead me to a finding that it was a deliberate attempt to mislead

2

10. Finding The evidence supports the management claim that the incoming Mayor

was granted the same network access privileges and his computer was configured

the same as the outgoing Mayor.

11. Finding I find that on the balance of probabilities, and considering all of the

circumstance, the evidence does not support a claim that the Mayors computer

was targeted.

PRINCIPLES OF EMPLOYMENT REVIEW STANDARDS OF PROOF

It is well recognized that an Employer may dismiss an employee where the employee

has provided just cause for terminating the employment relationship. Employers must

determine if the conduct of the employee is incompatible with the terms and conditions

of employment. The evidentiary burden on an employer is clear and cogent evidence.

SUMMARY OF FINDINGS OF STAFF CONDUCT

It is not surprising that some of the persons who made wrong decisions believe they

made the right decision. This was the perfect storm. The decision to move up a

scheduled security upgrade was done quickly, and that resulted in several missed

opportunities to look closer at the Privacy implications of that type of software being

installed. As the Information & Privacy Commissioner pointed out, if a Privacy Impact

Assessment was undertaken, all of this may have been avoided. It was an error, but

certainly I could find no evidence of malfeasance of conduct by any employee, or

person interviewed in this process.

Finding no evidence of malfeasance, I find no cause to terminate or discipline any

employee based upon those considerations.

From a perspective of a review of the actions of staff taken in this matter, I find that the

staff that I engaged with were professional and competent in all related matters

discussed. I accept the OIPC finding that a corporate privacy awareness was lacking

that may well have avoided this event.

But I found no evidence that would single out any particular individual in this matter,

rather it was a corporate decision.

From a Human Resource perspective, that has been endorsed by the District, the

implementation of the Information and Privacy Commissioners recommendations should

continue. At this date, 6 months after the fact, it is my observation that the staff would

benefit greatly from closure to this matter.