Policing privacy

Participating in the discussion were:
Steve Summervile, Vice-President, MKD Security Awareness and Training Inc. security and live event consultant in Toronto;

Michael Galin,
Manager, Physical Security Program, Corporate Security Office, Aviva
Canada in Toronto, an insurance company with headquarters in the U.K.;

Paul Carson,
National Security Manager, Brookfield LePage, Johnston Controls. BLJC
which currently manages 70 million square feet of facilities across
Canada from government to private sector, manufacturing etc. Carson is
responsible for about half of that space.

Martin Green,
Manager Security and Parking Rouge Valley Health System, also the GTA
chairperson CSIS and the Eastern Regional chairperson for the
International Association for Healthcare Security and Safety.

Roger Maslen, Senior Partner, Shepp Johnman, Security and Investigation Management, Calgary, Alta.

CSM: The discussion around privacy these days ranges from the proper handling of surveillance in the workplace to the collection, retention and protection of personal data — whether it’s information on employees or customers. What is the biggest privacy/security challenge facing your organization right now?

Maslen: We haven’t been affected too much by privacy legislation; however, we have been limited more recently in the way we access vehicle licensing information. It hasn’t really been a deterrent to our job, but more an issue of what information we can get. The Alberta government took away our access to motor vehicle registrations a couple of years ago, prior to the legislation. At that time, they thought that it was not reasonable that we should have that kind of access.

It has made it more difficult because, if used correctly, it is a valuable tool for private investigators who are investigating fraud or other criminal matters.

The privacy legislation has not changed much for us, as the legislation allows for us to collect information if we are involved in an investigation of a criminal matter or other legal matter.

Summerville: The placement of cameras and monitoring systems should be able to be justified and not perceived as being intrusive or illegal. Most recently, we were involved in the installation of CCTV monitoring systems at the Canadian National Exhibition where you have a world’s fair situation with lots of people and concerns of protection and terrorism as well as a certain expectation of privacy. We have common areas being monitored and what we had to be very careful of in terms of education was profiling. It’s also my personal opinion that collection is for the purposes of safety and it’s not always for a specific investigation; it’s a generic application and we want clients to let people know there is no hidden agenda. I suggest they pass it by their legal counsel as well.

Galin: My biggest focus in terms of privacy is customer information. Previously, when I worked in manufacturing, my biggest concern was trying to protect the proprietary information of the company — both the technology itself and the company financial information, but currently it’s customer information. Being an insurance company, we have a lot of sensitive information about the customers. In fact, we have to collect a lot of sensitive information just to provide them with a quote, so it’s everywhere. The job we have in corporate security is to educate people about the liability of having all that information on hand and the potential risk. We had to educate people; help them understand that one of the biggest concerns is locking up (information) properly to make sure it doesn’t walk out the door.

We have requirements that anything confidential or higher is behind a minimum of two security controls. A lot of it is education. After you teach them why they have to protect this stuff, they buy-in.

Carson: For me, proprietary information for BLJC needs to be protected at our facility in Markham. Moreover, our client information in general. We utilize a number of scenarios, but each one of our clients has different thresholds in relation to what they want protected, and how they want it protected, so a development of standards for each client’s needs is established right at the transition of our contract. We’ve developed standards in relation to shredding, surveillance, video surveillance policies and who deals with that information, whether it’s the general public, police, or any investigative body. We protect our computer systems and computerized data through developed standards in relation to a triple layer of controls when it comes to high-level data. We deal with the B.C. government and I’ve never met an organization that required such strict controls on their data, both in relation to business and people. They have zero tolerance in relation to breaches. Every breach has to be investigated and every investigation has to have root cause analysis.
 
We’re constantly battling privacy issues from a client’s perspective. Some clients believe they need no privacy because it’s not applicable to them and then there are some like the government agencies that require a rabid policy on privacy. We’ve got our hands around the issue of privacy and we’re starting to come out with different processes so we can say, alright, your privacy concerns are X so the closest thing we have is the government’s policy — do you want us to roll that out for your company?

Green: When it comes to health care, the information we have on our clients is extremely detailed personal information and we’re obligated to keep it all confidential. It’s always been something health care has to work extremely strongly at to maintain a person’s expectation of confidentiality. The privacy legislation really didn’t have much of an impact because we have always protected a patient’s privacy.
We have a policy that we do not release video to staff or to police without a warrant. I’ve had an officer say to me, “So you’re going to tell me that if one of your security officers was assaulted I couldn’t get the video?” I said that’s right, “Because I may be able to tell you who the security officer is but I may not be able to tell you who the other person is because it may be a patient.

Carson: We had a similar situation where we had a very serious event happen at one of our sites and I got to the site and a constable was walking around with the videotapes in his hand and I looked at him and looked at my security director who was there at the time and asked ”˜What is he doing with our surveillance video?’ Her answer to me was, “Well, they asked for it.” The policy clearly states video does not get released, unless under warrant and I had to take it back from the constable — what a discussion that was.

CSM: Do any of you work with a privacy officer?

Summerville: In my previous position with CHUM television, I worked with our privacy officer, who also served as my firm’s legal counsel as it pertained to contractual law. Her background did not allow her sufficient experience or depth to understand the need to monitor “common areas” that captured images of all access/egress locations for purposes of displaying due diligence and as a means of deterrence. 
Once shared, I found counsel supported the camera positions and applications and actually became a brilliant supporter of security operations.

Galin: We have a privacy officer; he is retiring soon and it seems nobody else wants the job. He is one of the senior executives. There was one investigation I was involved in where we were looking into the potential release of some confidential information about employees and we gathered all the information and tried to identify the risk and had a meeting with the internal communications person, myself, HR, legal and the privacy officer. It was really more consulting with the privacy officer — he wasn’t driving the investigation. Once all the facts were on the table the question was, do we have an issue? And the response was, there is no requirement for reporting — our obligation is to notify the employees who have a potential exposure of information and the ball was passed to HR. But I think nobody wants the role because, in our business, it’s one of the few positions in which one error can render you unemployed. There’s so much at stake — for someone in that position, in an executive vice-president role, perhaps they shy away from that but someone who is maybe looking for a major promotion may be willing to take on that liability.

Carson: I deal with multiple privacy officers. We have one for the BLJC and he’s legal counsel and that’s the predominant person in that role. But there is also a privacy officer for the government side of the business.

CSM: Roger, do you offer advice to clients on education of privacy issues or do you wait for them to ask?

Maslen: We talk about securing confidential information, but it may be not so much a privacy issue but the protection of that information. The oil companies have all their maps stored in a certain area because it’s critical information, but not so much from a privacy standpoint, really. But there does seem to be a huge problem out here with laptop computers going missing so we will talk about the protection of assets and equipment and privacy is part of that. The laptops not only contain personal information, but corporate information that is critical.

Carson: It sounds like it’s another business vertical for people in the consulting business. It is as big as Sarbanes Oxley (SOX) compliance because SOX compliance came out of nowhere and you saw KPMG and every other firm jumping into consulting, so privacy consulting sounds like it’s another business vertical.

Galin: Everything relies on education, no matter what we do in terms of putting in physical controls.  Earlier we talked about laptop theft and loss, but something scarier to me right now is USB memory devices. You get a 2G or higher memory device that fits in a pocket you’ll never see it. Chances are, you will see someone walking out with a laptop but you’ll never see these devices and there will be no record they are gone because someone can bring one in just as easily. If you lose a laptop, you’re likely to become aware of that loss very quickly and the timeliness of the loss awareness is a big factor in recovering things and the devices can be gone for a long time. We have a policy that all data on a portable device must be encrypted, and without the encryption key, the data is useless to them.

CSM: So how do you combat some of these things that could lead to a large breach of data?

Carson: Education is possibly one of the most important things in relation to privacy, as is good communication. If you’re not effectively communicating to the proper people what your expectations are in relation to standards that have been put in place, it’s all for naught.

CSM: Does a problem develop for security when HR starts asking for surveillance footage of employees?

Galin: In my experience, HR has been the last to want to use any video. The HR groups I’ve worked with have been sensitive to people’s privacy, even before it was legislated.

Green: I get requests all the time from department managers wanting access to logs off card readers. When did a person swipe in and swipe out? I will not release it unless it’s approved by HR. I’ve explained it to HR and the managers, saying the system isn’t designed to monitor employees — it’s there to provide safe and secure access. It’s not there to spy on employees. If you want me to use it for that purpose it needs to be cleared by HR.

We’ve had situations where employees haven’t come home at the end of their shift and we’ve had concerned family members calland say dad hasn’t shown up, can you check access records?

CSM: Are employees still considered the biggest risk to an organization’s ability to protect privacy?

Carson: The short answer is yes, if there is no process or policy put in place and the short answer is no if they are educated properly. From my perspective, when trained appropriately they can be one of your biggest advocates or one of your biggest detractors.

Green: Without question, yes they are the greatest risk. If they do something or forget to do something and privacy is violated, then it falls down on the employee. I’ll never forget an incident that happened at another hospital I don’t currently work at where an employee inadvertently dropped a patient file while they were transporting it from one portion of the building to the other which meant walking across the street. It was found by somebody who called up a local TV station in the city of Toronto and reported it. It ended up being CityTV’s lead story — that a patient record was flying around the street. It was an employee accident, an employee error but it was the lead story at six o’clock.

Galin: I would answer that as a yes, too. I think no matter what you do in terms of technology and physical controls, you’re most at-risk component is employees. You can overcome weak technologies and weak procedures through very strong employee diligence and I think the reverse can be applied as well.

Carson: There’s another facet to this and it’s your contractors and how they handle privacy, or don’t. I had a situation a couple of years ago where we had an issue of poor shredding policies with a company. When I went out to the site I asked for their standards in relation to shredding and the gentleman looked at me and said it was at their head office. I said ”˜How come it isn’t here?’ He said they hire temps and when I asked if they got criminal record checks he said they’d have to find out through the temp agency. I found out later that they didn’t. They were employed by us for about three-tenths of one second after that but there is an example of due diligence in vetting the vendors and how they handle things because you get tarred with the same brush. Saying “Sorry, it was our vendor…” forget it, you’re going to get shot just like they will.

Maslen: I’d like to get an opinion from the group on an office environment and an employer wants to install a covert camera to monitor activity on one particular employee?

Summerville: I would say yes, but that doesn’t mean you’re going to do anything with it.

Maslen: It’s not one of those situations where you’re looking at potential theft or potential damage, it’s more where the individual is not doing what they should be doing or is out of the office much more than they should be.

Summerville: We don’t want to confuse monitoring systems with basic skills of supervision. I find sometimes, some supervisors and mangers want technology to replace basic supervision they should be doing anyway.

Carson: We had an investigation that happened out of our head office. It was a criminal investigation, and if the person walked up and asked us if we were investigating them, we would have to tell them there was an investigation on-going but how the investigation was being conducted would be private to the organization. If they asked us, we had to tell them. Other than that, we were given free reign and subsequently we arrested that individual and he/she was charged.

Galin: I can think of some instances, not related to my job. The big organizations are likely to do it right, but I think there is a problem with smaller business. In one case, a pub and the woman who was the bartender was being monitored via the Internet by cameras installed by the owner. Everyone was upset that he was installing cameras. He said he was doing it for security, in case they were ever held up, but, there were no cameras on the entry or exit. There was one camera at one end of the bar that looked up and you only see on the bartender side focused on the case register. Occasionally he’d phone and say “how come the bus boy is just standing there, shouldn’t he be doing something?”

They were all very annoyed about this. I made a lot of calls but nobody seemed to have an authoritative opinion on whether or not he was entitled to do it and under what circumstances — no one wanted to touch it. The other example was at a vehicle dealership. It was cold and the parts people were complaining about how cold it was in the building and they said the last time they turned up the thermostat, the  owner called in because his daughter had seen it on video at home. As far as I’m concerned, that’s an abuse of their privacy and taking place of supervision and management.

I’ve actually written into the security policy what the video images can be used for and I’ve taken a stand. I’m going to do everything I can to prove that I didn’t contribute to them being used improperly. ”¢