IN CAMERA

Report to Mayor and Council

Issues and Questions

Installation of
Employee Monitoring Software
on District Computers

Prepared by:
Andy Laidlaw
Chief Administrative Officer
June 15, 2015

Issues and Questions

Installation of Employee Monitoring Software on District Computers

BACKGROUND AND INTRODUCTION

At its May 4, 2015 In-Camera meeting, Council requested that the CAO provide a report in
response to a number of issues and questions related to the March 30th report of the Information
and Privacy Commissioner (Commissioner) and the use of the employee monitoring software,
Spector 360. While my findings are being presented to Council In-Camera to allow for a fulsome
discussion on matters that cannot be canvassed in open meeting, the report has been prepared so
that Council may choose to rise and report and release the findings to the public.

As way of introduction, I am acutely aware that my report will be subject to criticism by those who
believe it does not confirm their perceptions. This situation has been infused with politics from its
origins and I am cognizant that my findings will be subject to that lens. It is my view that the scope
of this issue is more limited than some may suggest. Although I have provided some additional
commentary later in this report, my task has been focused on providing complete answers to the
issues and questions posed by the Mayor and Councillors at the May 4th meeting.

RESPONSES TO ISSUES AND QUESTIONS

Who authorized the actions taken?
In May 2014 an Information Security Audit was completed by Wordsworth and Associates,
Information Technology Security Consultants. Implementation of audit findings was taken
under the approval of the CAO who is ultimately responsible for all operational decisions.
Directors were informed at a high level that an audit had been conducted and that measures
would be taken to further protect Saanichs information and technology system. At the
November 19, 2014 meeting, Directors were informed that additional security measures
would be installed and on which computers. Decisions on how to implement the measures
and what specific products would be used to address the identified business need were
made between the Director of Corporate Services and the IT Management team.

2|Page

Why is there no agenda or minutes for the November 19, 2014 Directors meeting?
The November 19, 2014 Directors meeting was originally planned as one of the periodic
strategic development sessions, during which the senior management team works with a
facilitator on issues relating to the strategic direction of Saanich operations. The convention
has been that no formal minutes are taken at these sessions.

Given that November 19, 2014 was the first Directors session after the election, the CAO
determined that the senior management team would be better served by holding an informal
meeting that would allow for a free-flow of conversation about the incoming Council,
campaign topics with potential operational impacts on resources and capacity, orientation
sessions for the Mayor and newly-elected Councillors, the Governance Review, and other
post-election matters. There was no formal agenda or minutes as it was an information
sharing and brainstorming meeting about how to best support the new Council.

In addition to the above-noted items, an example of topics canvassed at the meeting

included:

The November 18th meeting with Mayor-Elect Atwell, the CAO and the Director of
Legislative Services.

Issues that arose during the campaign such as the level of bylaw enforcement, the
desire for greater public participation including at Council meetings, walkability/mobility,
climate change, etc.

The potential for changes in committee structure.

The potential for an increase in the amount of legal advice required as strategic direction
shifts.

The potential for changes in the approach to media, i.e. will the new Mayor still want to
be the main spokesperson?

The challenging budget cycle ahead for 2015.

IT security and reports from some candidates about email tracking and hacked websites.

The need to update all Council electronics.

The importance of reminding managers that information provided to one Council

member is normally provided to all.

3|Page

What level within the organization made the decision and what level should have
made the decision?
The overall decision made to enhance the security of the information and technology system
(with specific timelines, criteria, and requirements) was made at the CAO and Director level.
The IT solution implemented met the requirements and timelines as outlined by the CAO.
The decisions were made at the appropriate level within the organization.

Why was the decision made then, just after the election? Is it standard in
organizations?
Between the time the audit was conducted in May 2014 and the election in November 2014,
more than 60 actions and initiatives were undertaken to upgrade the security of the
computer network. Installation of software to track the path of a hacker, intrusion or
malware tool was anticipated. This action was expedited by the CAO given the election of a
new Mayor and the concern that had been raised by some Councillors regarding
irregularities with their email and websites during the election campaign.
The media release stated that the installation was made in response to the
Information Security Audit. What does in response to mean?
The Information Security Audit made many recommendations with respect to the security of
the information and technology system. Some of these recommendations were related to
implementing intrusion detection/ prevention systems that, according to best practices, are
monitored 24/7. In response means that looking at the audit findings and
recommendations in their entirety and considering the then state of the computer security,
the implementation of a security monitoring program was deemed warranted for its forensic
benefits.
Weve heard some statements that the installation was to impress the Mayor. This
does not appear to be consistent with the actions?
The installation of the software was never intended to impress the Mayor. The software was
installed in response to the Information Security Audit and direction was expedited at the
CAO and Director level for the reasons noted previously.

4|Page

Where did it get to the point of the full program being installed?
The program was installed according to the identified business requirements, based on the
default settings as recommended and provided by the vendor.

What are the facts about the Mayors Network Access Form?
On December 2, 2014, the Mayors Administrative Assistant and the IT Manager discussed
the installation and requirements of the Mayors computer. Final tests were conducted to
ensure that the configuration was appropriate and that everything was working correctly.
Later that morning, the Mayor was handed the Network Access Terms and Conditions Form
by his Administrative Assistant with a member of the IT division in attendance and was
asked to return the completed form to his Administrative Assistant for processing. While the
Mayor initially stated that he had not received the form, he has subsequently reported that
he found the form in his office on December 22, 2014. Effective May 18, 2015, the Mayor
signed the form. The Mayor remains of the view that he was not provided the network
access form on December 2, 2014 and I am unable to reconcile this with the information
provided by staff.
Why was the incoming Mayor not just given the outgoing Mayors old computer?
The outgoing Mayor had some personal information on the Saanich computer assigned to
him and he asked that he be allowed time to remove and store this information. To facilitate
this request the computer was physically removed from the Mayors office.

Understanding that the installation was for network security, why was it put on the
Councillors computers which are not on the network?
Council computers were identified as part of the high risk group. As such, installation of a
security software tool on the Council computers provided the ability to protect the
organization and Council members in the event of unauthorized access and inappropriate
use of those computers by persons or programs with malicious intent. The computers used
by the Councillors are shared computers located in areas that could be accessed by anyone
attending at the Municipal Hall. In addition, the Councillors share a common login id and
password, and the computers are normally left unattended for significant periods of time.

5|Page

During the election campaign some Councillors reported that their emails and websites had
been hacked and BOTs* had been discovered by their internet providers. Councillors can
access their personal email accounts through these computers and BOTs could be
transferred to the computers, then transferred to other systems, including Saanichs network
through emails or sharing of flash drives. For all of the above reasons, installation of the
software on these computers was considered appropriate for its forensic benefits. (* BOTs
which is short for robot, is a program that operates as an agent for a user, another
program or simulates a human activity. Such programs can be involved in malicious
activities when a computer is infected by a virus.)
Why werent the Councillors informed that the software was on their shared
computers and given Network Access Forms to sign?
Details of the security measures installed to protect Saanichs information and technology
system are not shared with Council, employees or the public. Councillors were not asked to
sign Network Access Terms and Conditions Forms as they were not given access to the
network. Now that Councillors have @saanich.ca email accounts, all have been required to
sign the form. Completed forms have been received from all Councillors.
Its been said the installation of the software decreased security on the Councillors
computers. What are the facts?
The expert advice provided to me by IT supports the response that the installation did not
decrease security. As noted above, the Councillors computers are shared computers
located in areas that can be accessed by anyone attending at the Municipal Hall. In
addition, the Councillors share a common login id and password, and the computers are
normally left unattended for significant periods of time. The Councillors computers are
similar to, for example, shared computers in a hotels public business centre which also
have a high potential security risk.

An IT security program is used to control and mitigate the impacts of potential security
incidents. In the event of a security incident, the information provided by IT security tools are
used to determine the nature and specific details of malicious activity. Installation of this
software provided the ability to determine how the computer was attacked or hacked into,
what information was compromised, when the computer was inappropriately accessed and
6|Page

what other malicious activity was performed. All of this information is critical to understand
and mitigate the effects of unauthorized and malicious use.

Was the software installed on the Council iPads?

Monitoring software was not installed on the iPads provided to Council. The implementation
of monitoring software on the iPads may have been considered after appropriate
examination and experience with the product. As it happened, all further examination and
evaluation of the software product ceased effective December 15, 2014 given the discussion
at the In-Camera Council meeting.

Why were there no log protocols put in place?

A paper system of log protocols and administrative processes were put in place at time the
software was installed. In her March 30, 2015 report, the Commissioner, states that
Saanich should have implemented the logs for administrator-level access. During the OIPC
investigation, staff explained to the investigators that there is a difference between server
logs and application logs.
The software program has no ability to log itself (application logs) that means it has no
ability to produce a secure report (or log) of those employees who have logged on to the
administrator functions. The type of server on which the software resided does have the
capability to capture server-level diagnostic logs these logs are tremendously large,
complex data files that log everything that happens within the system. These are operation
level tools that IT staff use to resolve detailed technical problems. These logs only show
that the administrator of the system has connected to the server that hosts the program, but
does not show what the administrator did within an application, including and specifically the
detailed interaction and intersects with the software program. It was determined that the
paper logs would be a more accurate record.

Did IT staff watch the Mayor change his password?

There is no evidence to support this other than that provided by the Mayor. As a final part
of the installation, IT staff acted in accordance with the vendors specific direction to ensure
that the software program was working properly.

7|Page

Reviewing data that is collected by a software program such as Spector 360 is not like
watching a video recording. Information captured by Spector 360 is collected in discrete and
separate packets for each of the sub sections, i.e. screenshots, keystroke logging, email
recordings. A viewer would need to proactively assemble each of these discrete pieces of
information for a specific time period to create a picture (like a jigsaw puzzle) that would
allow data to be viewed in a meaningful way.

Was the discipline given to Saanich employees in violation of the Freedom of

Information and Protection of Privacy Act (FIPPA) section 30.03 Whistle Blower
Protection?
Full disclosure was made during the OIPC investigation. The OIPC did not find any violation
of section 30.03 of the Act.

Is there any correlation with respect to staff leaving the organization during these
times?
Six staff have left the Saanich IT Division during the period of December 2014 May 2015.
One retired and the remainder resigned as they had accepted positions with other
organizations.
On the threshold of should have known was there anybody who should have
known that this software was inappropriate? Where was the error made?
There are no bulletins from the OIPC that explicitly state the specific product Spector 360 is
an inappropriate product. In her investigation the Commissioner identified that some
aspects / functions of Spector 360 were appropriate for computer security use. Other public
sector organizations within BC utilize this or a similar product and have installed it on their
network systems.

Decisions were made by the senior management in the best interests of protecting
Saanichs information and technology system. The product chosen met the business
requirements and criteria as laid out by the CAO. The implementation lacked a review
through the lens of FIPPA because the software was being viewed purely as an additional
security installation. Had a Privacy Impact Assessment (PIA) been completed prior to
installation, we believe the question of purposeful collection vs passive receipt would have
8|Page

been canvassed and depending on the answer may have raised further questions that could
have altered the installation and/or configuration of monitoring software. Subsequently, the
Commissioner has reached a new conclusion regarding whether information is being
purposefully collected vs passive receipt that could not have been known previously.

COMMENTARY AND CONCLUSIONS

One of the more general questions asked by Council was, Where were the errors? I recognize
that Council has a need for accountability, however, it would be simplistic and inaccurate to point to
some decision or event. An objective of the organization was to mitigate security concerns raised
through the audit resulting in requirements that were communicated to staff and the organization.
This led to the selection and implementation of the security monitoring software. The lack of a
comprehensive privacy program and specifically the need to view security through the lens of
FIPPA, resulted in the missed step of a Privacy Impact Assessment not being completed. In my
experience, throughout local government the focus has been on a philosophy of freedom of
information and this was, in my opinion, contributory.

There have been questions with respect to the sequence and timelines of staff actions. The
Commissioner states, Our view of those documents provided supported the timeline and positions
taken by District employees whom my staff interviewed. It is my view staff have been forthcoming
and their co-operation is noted in the Investigation Report.

In my opinion, there was a systemic disconnect within the organization on the issue of personal
privacy. In her report, the Commissioner indicated she intends to prepare a set of guidelines for the
future, and this will be helpful. There is obviously some uncertainty around this issue. It would
have been helpful to have had these guidelines at the time the decision to install the monitoring
software was made.

The Network Access Form which all employees are required to sign states:
The District may access, inspect, retrieve, review, read, copy, store, archive, delete,
destroy and distribute or disclose to others (including courts and law enforcement
authorities) all communication system data and uses, including email, voice mail and
9|Page

internet use, without any further notice and as the District in its sole discretion may
consider necessary or appropriate. [my emphasis]
Employees understand that Saanich computer system monitoring may be used to record
and log systems access by individuals. Inappropriate website access may be audited and
details forwarded to the applicable Department Head, and Human Resources upon
request.
Email use and content may be monitored.

Similar protocols are in place throughout BC and in my view most public sector employees
understand this. The network access policy and the above statements have been in place for
many years and reflect the conditions under which employees use employer owned computers.
Everyone using the Saanich network is required to sign a consent form prior to being allowed
system access. Given the nature of the Mayors office, leeway was provided and he was presented
with his access code prior to signing the form a courtesy offered due to the amount of new
information and processes the Mayor was experiencing in his first few days.

Although I recognize the security needs, I believe and agree with the Commissioner that the
interface with privacy issues and the completion of a Privacy Impact Assessment should have led
us to conclude that keystroke logging and screenshot recordings could be reserved for specific
employment security issues.

With the complexity of the FIPPA guidelines I am questioning whether the use of employer
computers for personal use should now be completely restricted. This is a policy issue for review
and the most significant assumption of the Investigative Report:
The District did collect personal information of employees and citizens through use
of monitoring software.

It would certainly not have ever previously been my view that public employees should be doing
personal banking or accessing medical records on the employers computer and expect privacy.
For example, if employers are going to permit access will they have to put in place multi layered
10 | P a g e

restrictions on some websites in addition to employee notifications? There are also two
interpretations of when collection of data occurs. One being the Commissioners - at the moment
data is recorded and stored; and another, from case law - when the data is converted so the
content is known. The Commissioner has made it clear her interpretation is that data collected
equals data used. This presents some future concern with use of email, internet, and computers
for all government institutions and raises multiple and complex policy issues.

The Commissioner has determined the use of some aspects of this security tool are too intrusive.
That is the basis of the most significant finding which is either a finding that we should have been
aware of or a new threshold. The Commissioner states that during her investigation she became
aware of other municipalities that could benefit from guidance. The Commissioners report now
provides clarity regarding her view of the current state of the law, and in my opinion sets a
benchmark which perhaps should have been understood, but which would have been subject to
interpretation. I am in agreement with the Commissioner that there was a reactive approach from
Saanich in terms of finance, privacy and resources for IT security, however the Commissioner does
state in her report that four of seven classes of information collected by Spector 360 are necessary
for the purpose of IT security.
The Commissioners position is now understood and we are moving forward to ensure we are in
compliance with FIPPA. While Saanich has an excellent record with respect to providing access to
information under FIPPA, it has not kept pace with the shift in emphasis to privacy. The Legislative
Services Department has not been able to roll out the new privacy regulations in a comprehensive
manner due to issues of capacity and funding. This means that many staff have only a very basic
awareness of some of the newer privacy regulations and limited access to common tools which
would help them. Not unlike other public sector organizations, Saanich has some issues with the
maturity, understanding, and implementation of FIPPAs newer privacy measures.

I note that in her May 13, 2015 report to a legislative committee about Spector 360 and Saanich,
the Commissioner stated, I think this was a teachable moment for many employers across the
Province, both in the public sector and the private sector. (Government of BC, 2015) I would
agree with that sentiment.

11 | P a g e

Council has adopted all the recommendations in the Commissioners report and staff have started
work on a Privacy Review and Management Plan Project as part of the implementation of a more
comprehensive privacy program. We have obtained expert guidance in this matter and as directed,
I will ultimately report to Council confirming that the Commissioners recommendations have been
implemented.
Following release of the Commissioners Investigation Report, the Corporate Services and
Legislative Services Departments discussed how security measures will be reviewed through the
lens of FIPPA. The Commissioner has provided new interpretations applying to security and the
collection of personal information. As staff roll out a more comprehensive privacy management
program, the organization will continue to work together to achieve best practices looking to the
guidelines coming from the OIPC.
In summary, I have endeavored to answer Councils questions in appropriate detail. I am also
having a third party review undertaken by an independent external human resources consultant
with 30 years experience in labour relations. I have tasked the consultant with advising me on any
perceived breach of conduct by staff. In carrying out the assignment, the consultant will review
relevant documents, including the Commissioners report, and conduct staff interviews. The
consultant will include an interview with the Mayor and will make contact with those persons the
Mayor requests be interviewed. In my role as CAO, I will manage any human resources
recommendations arising from that report and advise Council.

Since December 2014, this issue has occupied an inordinate amount of resources and I have
provided the facts, as I know them to be. I will provide further information as requested by Council
and follow up on any concerns. This issue has impeded the Districts operations long enough and
it is time to bring closure.

References
Denham, E. (2015). Use of Employee Monitoring Software by the District of Saanich. Victoria.
Government of BC. (2015, May 13). Select Standing Committee on Finance and Government Services.
Retrieved from Report of Proceedings - Hansard Blues: http://www.leg.bc.ca/cmt/40thParl/session4/fgs/hansard/20150513am-Finance-Blues.htm
12 | P a g e