Tuesday, March 31, 2015

Privacy Commissioner's report on Saanich

I have not blogged about the situation with respect to Saanich mayor Richard Atwell because up until now I have not had much substance to make up my mind about what is going on.  All I would be doing is adding more unsubstantiated speculation to the mix.   This changed yesterday because the BC Commissioner of Privacy released her report of the Use of Employee Monitoring Software by the District of Saanich.  I still can not comment in any useful way about the other issues because I do not have the facts.

The report gives more details of what happened and when.   Here is my quick take on it all
  • The core person in the whole thing seems to be Director of Corporate Services Laura Ciarniello.  She seems to have been a part of all the decisions and seems to have been informed about Spector 360 and then approved its use.   She is a Certified Human Resources Professional and I would think this means she is very aware of Freedom of Information and Protection of Privacy Act
  • Senior Saanich staff in general does not seem to understand the Freedom of Information and Protection of Privacy Act
  • It is not normally appropriate to act on any policy changes between the start of an election and a new council being sworn in and especially not in the short period between the end of an election and the swearing in of a new council.   The decisions around Spector 360 were taken during this period and should not have happened for that reason alone.  
  • The decision to use Spector 360 seems very rushed and ad hoc.   The decision was made in only four days after what seemed like months of no action on a May 2014 IT security audit.
  • Spector 360 in itself is not a breach of the Freedom of Information and Protection of Privacy Act but only some of the functionality of the software, specifically keystroke logging, screenshot recording, program activity logging, email recording, and user logon functions.   Admittedly those functions seem to be very much the core of Spector 360
  • It seems like the decision to buy Spector 360 was very much connected to the election of Richard Atwell as mayor. 
  • I think the situation arose because of incompetence and fear on the part of staff
Here are the questions I still have:
  • Has council ever been allowed to see the IT security audit?
  • Did former CAO Paul Murray sign off on the new software?
  • Why did staff not explicitly tell Mayor Richard Atwell that Spector 360 was being installed on the new computer purchased for his office?  I would have expected staff to have worked very closely with the new mayor on what computer was to be purchased and how it was going to set up.
  • Why did staff not halt the use of Spector 360 when Mayor Richard Atwell expressed his concerns about the software?   The mayor is the leader of council and when concern is expressed by the mayor staff should be paying close attention.
  • Why did staff not come to council immediately after the mayor expressed issues with the software?
  • Why did Mayor Richard Atwell not bring his concerns about the software to council in December 2014?   Why did he raise his issues on January 12th 2015 in a press conference?   Why the delay?  Why that date?   Why was council not informed beforehand?
  • Who wrote the January 13th media release from council?   Was it intended to be misleading and was council aware of that?  Did council know that Spector 360 was installed in the default mode and therefore in contravention of the Freedom of Information and Protection of Privacy Act?
  • Why did council not make a clear decision in January that the use of Spector 360 was not OK?
  • How could Director of Corporate Services Laura Ciarniello not be aware that Spector 360 was likely to be in violation of  the Freedom of Information and Protection of Privacy Act?  She is a Certified Human Resources Professional and I would assume should be aware of FIPPA.
  • Why did the IT Manager not check if any other municipality used this software?   
  • Did the IT Manager inform the Director of Corporate Services about what the default setting of Spector 360 was and how it was not appropriate to use?
  • Has council lost confidence in some members of senior staff?
Recommendation #5 is one that all municipalities should be looking at:

The District of Saanich should implement a comprehensive privacy management program to ensure it is able to meet all of its obligations under the Freedom of Information and Protection of Privacy Act. This program should include the appointment of a Privacy Officer.
The Privacy Officer should conduct a comprehensive audit of the District’s compliance with the Freedom of Information and Protection of Privacy Act, and compile a registry of all personal information in the custody or under the control of the District.
The District should provide training to all employees in relation to all requirements of the Freedom of Information and Protection of Privacy Act.
In my experience there is not a lot of understanding of the Freedom of Information and Protection of Privacy Act by municipal staff.    All municipalities should be adopting this recommendation but can small municipalities afford to implement it?

Timeline of the Spector 360 software story

  • May 2014 - An IT security audit is conducted for Saanich by Wordsworth and Associates - it does not recommend Spector 360
  • Saturday November 15 2014 - Richard Atwell wins the election
  • Monday November 17- Wednesday November 19 2014 -  Director of Corporate Services Laura Ciarniello and IT Manager Forrest Kvemshagen discuss the need to remedy outstanding IT security issues.   It sounds like the decision to move forward all of sudden was in part motivated by the election of the new mayor.  The decision to finally move forward quickly seems to have meant an interim solution had to be purchased off of the shelf
  • Wednesday November 19 2014 - Director of Corporate Services Laura Ciarniello met with the Chief Administrative Officer, the Chief of the Fire Department, and the Directors of Legislative Services, Planning, Parks and Recreation, and Finance.   At this meeting the staff decided on which computers security software would be installed
  • Wednesday November 19 2014 - Director of Corporate Services Laura Ciarniello directed IT Manager Forrest Kvemshagen to research and procure protection and monitoring software.  
  • November 20, 2014 -  After researching available options through an online search, the Assistant Manager reported back to the Manager of IT, recommending that the District acquire Spector 360.
  • Friday November 21, 2014 -  Spector 360 was purchased.
  • Wednesday November 25 2014 - CAO Paul Murray and mayor elect Richard Atwell meet in the Mayor's office
  • Thursday November 26 to Friday December 3, 2014: District IT staff installed Spector 360 on 13 employee workstations.  Spector 360 was installed with the default configuration, which seems be a major part of the problem because the default setting is an invasion of privacy
  • Wednesday December 1 2014 - the new council is sworn in
  • Thursday December 2  2014 -  The Manager of IT emailed the Director of Corporate Services requesting express authorization for the installation and activation of Spector 360, including the keystroke logging function.  The Director of Corporate Services approved   Though the software had been being installed since the previous Thursday and was completed by the next day.
  • Monday December 8 2014 - In an in camera meeting Saanich council to discuss labour issue
  • Thursday December 11 2014  Mayor Richard Atwell was informed by a third party about the installation of Spector 360 on his District workstation.
  • Friday December 12  2014 -  Mayor Richard Atwell met with the Manager of IT, the Assistant Manager of IT, and Director of Corporate Services to enquire about the software.
  • Monday December 15 2014 - Mayor Atwell complained to Saanich police about the use of Spector 360 by the District, and asked the police to determine whether the use of the software was in contravention of the Criminal Code of Canada. Saanich police sought an opinion from outside legal counsel on the legality of Spector 360. As a result of that opinion it was determined by Saanich Police that the use of Spector 360 was not a contravention of the Criminal Code. This opinion did not appear to consider whether the use of Spector 360 was in contravention of other federal or provincial law.
  • Tuesday December 16 2014 Council met in camera to discuss a labour issue
  • Wednesday December 17 2014 Saanich Council announces they have come to a parting of the ways with CAO Paul Murray.   What is not clear to me is the last day he worked in the office, I have been told conflicting dates
  • January 12 2015 - Mayor Richard Atwell informed the public via a press conference that the District had installed spyware on his computer.
  • January 12 2015 - Police Chief Bob Downie informs Saanich Council at an in camera council meeting that it is his department’s determination that no criminal offence has taken place and the review has been concluded.  Note, the police only looked at the criminal aspects of what happened and did not seem to consider any other breach of the law.
  • January 13 2015 - Media release from Saanich Council stating some of the story on the computer security issue
  • January 14 2015 - Media release from Director of Corporate Services Laura Ciarniello explaining why and when Spector 360 was purchased
  • January 19 2015 - The Director of Corporate Services directed the Manager of IT to disable Spector 360 pending a resolution of the concerns about its use by the District.
  • January 20 2015 -  Privacy Commissioner initiates investigation into the use of Spector 360 by Saanich
  • January 21 2015 - Spector 360 is disabled by Saanich
  • January 21 2015 - Saanich hires Andy Laidlaw as interim CAO. Saanich   This is relevant because Director of Corporate Services Laura Ciarniello used to work for him in Campbell River
  • January 28 2015 - Interim CAO Andy Laidlaw starts work
  • February 5, 2015 - Saanich announces Spector 360 has been disabled
  • March 17 2015 - Saanich interim CAO Andy Laidlaw announces Spector 360 will not be used again
  • March 30 2015 - Information and Privacy Commissioner releases her report

No comments:

Post a Comment