Electronic Monitoring Policy
Classification number | ADM 1324 |
---|---|
Framework category | Administrative |
Approving authority | President |
Policy owner | Chief Transformation and Organization Culture Officer |
Approval date | December 23, 2022 |
Review date | December 2025 |
Purpose
-
The Ontario Working for Workers Act, 2022 requires certain employers to introduce a written policy regarding its electronic monitoring practices. To that end the purpose of the Electronic Monitoring Policy (“the Policy”) is to provide information and transparency about how the University may electronically monitor and collect information pertaining to its employees.
This Policy, in conjunction with the Technology Use Policy, and other related policies, describes how and when University may electronically monitor and collect information electronically regarding its employees, which will occur in a manner that is consistent with the University’s values of integrity and responsibility, honesty and accountability, and intellectual rigour.
Definitions
-
For the purposes of this Policy the following definitions apply:
“Active Electronic Monitoring” means the targeted use of devices or software to intentionally track the activities and/or physical location of an identified employee or employees in real time pursuant to an investigation.
“Passive Electronic Monitoring” means the routine collection and retention of information or activity in physical spaces and on the digital network.
Scope and authority
-
This Policy applies to all employees as defined by the Ontario Employment Standards Act, 2000 (“ESA”). For clarity, “employee” under this Policy means only those employees of the University who are considered employees under the ESA.
-
This Policy does not provide employees any new rights or right to not be electronically monitored. Nothing in this Policy affects or limits the University’s ability to conduct electronic monitoring, or use information obtained through electronic monitoring.
-
Nothing in this Policy is intended to amend or supersede any grievance procedure or other aspect of any applicable collective agreement.
-
The Chief Transformation and Organization Culture Officer, or successor thereof, is the Policy Owner and is responsible for overseeing the implementation, administration and interpretation of this Policy.
Policy
-
For purposes of this Policy, the University has distinguished any applicable monitoring as either Active or Passive Electronic Monitoring.
-
Active Electronic Monitoring
- Active Electronic Monitoring of employees will be undertaken in accordance with the University’s Technology Use Policy.
- Active electronic monitoring of employees may also include direct access to the contents of the personally assigned account(s) and/or the device(s) used by an identified employee, which may include, but are not limited to, email, voicemail, SharePoint, OneDrive, Google Drive and other storage space assigned for use by an individual employee.
-
The University does not engage in Active Electronic Monitoring for the purpose of employee performance management unless there is reasonable cause to suspect employee misconduct
-
Passive Electronic Monitoring
- The University reserves the right to use data that has been collected and retained from Passive Electronic Monitoring and may access information from the personally assigned account(s) and/or devices(s) of an identified employee including for purposes outlined in the University’s Technology Use Policy.
- The University has reserved, but is not limited to, the following rights:
- To collect data relating to activities on university premises and on the university network that may be attributable to identifiable persons.
- To use the data for the purpose of assuring safety, security, and comfort within physical spaces on university premises, and other uses deemed appropriate and necessary.
- To use the data for the purpose of assuring the availability, integrity, and confidentiality of digital assets and resources connected to the university network or otherwise provided by the university, and for other uses deemed appropriate and necessary.
- When an employee retains information related to university business operations or the operation of their department, unit, or team within their personally assigned account(s) and/or devices, and that employee is not available to retrieve the information, the University may directly access the account of the employee with oversight from appropriate authorities and in compliance with relevant legislation and University policies.
- Data collected through electronic monitoring may be utilized to enforce other policies, and the circumstances under which such monitoring may occur may be addressed and specified in those policies.
-
In the event that the University collects any personal information, as defined in the Freedom of Information and Protection of Privacy Act (“FIPPA”) when using the electronic monitoring tools listed in Appendix A, the University shall collect, use and disclose personal information in accordance with the applicable legislation, including, but not limited to, FIPPA.
-
Posting, Notice and Retention
- The University will provide all current employees with access to or a copy of this Policy within 30 calendar days of implementation. The University will provide all employees hired after this Policy is implemented with access to or a copy of this Policy (or the applicable revised version) within 30 calendar days of the employee’s start date. The University will provide a copy of the Policy to all assignment employees assigned to perform work for the University within 24 hours of the start of the assignment or within 30 days of its implementation, whichever is later.
-
The University will retain a copy of this Policy and any revised version of this Policy for a period of three (3) years after it ceases to be in effect.
-
Amendments
- This Policy may be amended from time to time in the University’s sole discretion, in accordance with the University’s Policy Framework, in which event it will provide an amended copy of the Policy to all employees within 30 days of the date the amendment becomes effective.
Monitoring and review
-
This Policy will be reviewed as necessary and at least every three years. The, Chief Transformation and Organization Culture Officer, or successor thereof, is responsible to monitor and review this Policy.
Relevant legislation
-
Ontario Working for Workers Act, 2022, S.O. 2021, c. 7 – Bill 88
Ontario Employment Standards Act, 2000, S.O. 2000, c. 41
Ontario Occupational Health and Safety Act, R.S.O. 1990, c. O.1 Related policies, procedures & documents
-
Technology Use Policy
Personal Use of University Resources
Ethical Conduct Policy
Appendix A
-
Examples of current specific uses of passive electronic monitoring data (which may be changed or updated from time to time), and examples of potential instances of targeted Active Electronic Monitoring
Passive electronic monitoring of physical spaces
The University collects data and information about activities in physical spaces on the university premises. This data includes, but is not limited to, video, audio, physical access requests through electronic door locks, and the physical location of devices on university premises.
Security Cameras
Security cameras collect and retain video of physical spaces. Security camera locations are selected at the discretion of the University.
Electronic Door Locks
Electronic door locks collect and retain logs of physical access attempts to restricted areas. Data collected may include, and is not limited to:
- the date and time of the request,
- the unique identifier of the card being used to attempt access.
Passive electronic monitoring of digital identities, assets, and resources
The University collects data about network requests made by devices on the wired and wireless network. This data may include, and is not limited to, the date and time of the request, the name and internet protocol address (“IP address”) of the requesting device, and the name and IP address of the digital asset or resource being requested.
The University collects data about cybersecurity threats within the content of network sessions. This data may include, and is not limited to, the results of malware scans, and the behaviour of executables, files, software, code, and processes when opened or accessed, and other data about cybersecurity threats.
Domain Name System (DNS) Servers
DNS servers collect and retain logs of internet resource requests. Automated analysis of internet resource requests is performed to prevent exposure to known cybersecurity threats. Data collected and retained may include, and is not limited to:
- the date and time of the request,
- the name and IP address and the requesting device,
- the name and IP address of the resource being requested (e.g., websites and other resources that are accessed by devices on the university network),
- details about cybersecurity threats prevented and/or detected.
Data collected by DNS Servers may be correlated with other data sets to monitor activities of an identifiable person or persons.
Firewalls
Firewalls collect and retain logs of network connections, including connections from the internet to digital assets and resources on the network, connections from devices on the network to websites and other resources on the internet, and connections between devices on the network. Automated analysis of network connections and the content thereof is performed to prevent exposure to known cybersecurity threats. Data collected may include, and is not limited to:
- the date and time of the request,
- the name and IP address and the requesting device,
- the name and IP address of the resource being requested (e.g., websites and other resources that are accessed by devices on the university network).
- details about cybersecurity threats prevented and/or detected.
Data collected by Firewalls may be correlated with other data sets to monitor activities of an identifiable person or persons.
Authentication and Authorization
The University collects data about authentication attempts to digital assets and resources. This data may include, and is not limited to, the date and time of the authentication attempt, the authentication identifier (e.g., netID) and IP address of the requestor.
Azure Active Directory
Digital assets and resources collect data about successful and unsuccessful authentication attempts.
ADFS- Active Directory Federation Services
The University collects data about communications entering, leaving, and within the network. This data includes, but is not limited to, the date and time of the communication, identifiers of the sender and recipient, names and IP address of devices that have handled messages, subject, details about the size and type of attachments.
The University collects data about cybersecurity threats within the content of attachments to communications. This data may include, and is not limited to, the results of malware scans, and the behaviour of executables, files, software, code, and processes when opened or accessed, and other data about cybersecurity threats.
Microsoft365
The Microsoft365 platform retains logs of text, video, and audio communications on the Teams application.
Email
Email servers, including Microsoft Exchange Online, retain logs of email communications.
Email servers, including Microsoft Exchange Online, retain logs of the results of cybersecurity threat analysis on the content of messages. Content may be retained if a cybersecurity threat is detected or suspected.
Audit and Compliance
The University collects data about access to and use of university records and other high value files. This data includes, but is not limited to, the date and time of the access, the authenticated person’s identifier (e.g., netID), actions taken on the record or file (e.g., create, modify, delete, download, etc.).
Microsoft SharePoint
Applications and sites on the Microsoft SharePoint platform may be configured to retain audit logs.
PeopleSoft
Applications and sites on the PeopleSoft platform may be configured to retain activity logs.
Endpoint Management and Protection
The University collects data about cybersecurity threats on university owned and issued devices, and personally owned devices that are protected by endpoint protection software managed by the University. This data includes, but is not limited to, the results of malware scans, internet resources to which the device has connected, and the behaviour of executables, files, software, code, and processes when opened or accessed, and other data about cybersecurity threats.
Microsoft Defender
Endpoint protection software collects logs of cybersecurity threat analysis on the content of files and network connections. Content may be retained if a cybersecurity threat is detected or suspected.
Examples of Active Electronic Monitoring of employees, which will occur in real time and pursuant to an investigation, may include, but are not limited to:
- Monitoring—by video surveillance or otherwise-- the date and time of access to physical locations and digital resources.
- Monitoring internet resource requests.
- Monitoring physical location using global positioning system (GPS) technology. This data may also be collected passively and accessed at a later time.