Final Approval Body: Senior Leadership Team
Senior Administrative Position with Responsibility for Policy: Vice-Principal Finance and Administration
Date Initially Approved: October 11, 2022
Purpose
The purpose of the Electronic Monitoring Transparency Policy (the “Policy”) is to provide transparency about how the University may electronically monitor the activities of employees.
This Policy does not create any new privacy rights, or a right not to be electronically monitored, nor does it directly or implicitly restrict the purposes for which the University can use collected data. The University’s use of electronic monitoring tools for employment- related purposes is subject to rights an employee has under their employment contract, including any applicable collective agreement.
Definitions
Electronic monitoring is the use of technology to intentionally track the activity of university assets and resources.
Electronic monitoring of employees includes the use of data collected by electronic means that may include, without limitation, information about employee activity in physical spaces and on the university digital network.
Electronic monitoring of employees includes direct access to the contents of the personally assigned account(s) and/or the device(s) used by an identified employee. Personally assigned accounts include, without limitation, email, voicemail, SharePoint, OneDrive and other storage space assigned for use by an individual employee.
Examples of electronic monitoring may include, without limitation:
- Monitoring the date and time of access to physical locations and digital resources,
- Monitoring internet use,
- Monitoring physical location of assets using global positioning system (GPS) technology.
Scope
This Policy applies to all university employees, as defined by the Ontario Employment Standards Act, 2000 (“ESA”). For clarity, “employee” under this Policy means only those employees of the University who are considered employees under the ESA.
Electronic Monitoring of Employees
Passive data collection
The University collects data by electronic means that relate to the activity of university assets and resources.
The University uses data collected by electronic means to assure safety, security, and comfort within physical spaces on university premises; to assure the availability, integrity, and confidentiality of digital assets and resources connected to the university network or otherwise provided by the University; and for other uses deemed appropriate and necessary including, without limitation:
- Physical security – To assure the safety of community members and the physical security of premises; to monitor for violations of organizational policy; and, to monitor for violations of municipal, provincial, or federal laws.
- Environment management – To assess and manage the physical environment, including but not limited to heating, cooling, lighting, and other facilities services that contribute to a comfortable living and workspace.
- Information technology service assurance – To identify indicators of service degradation, and to assure ongoing availability and integrity of digital assets and resources connected to the network.
- Cybersecurity – To detect, prevent, and respond to cybersecurity events and incidents, and to assure the security and safety of digital identities, assets, and resources.
- Audit and compliance – To monitor and assure confidentiality and compliance with organizational policies, relevant legislation, and regulations.
Electronic monitoring of employees
The University does not actively monitor employees by electronic means in the normal course of business.
Use of data collected by electronic means is done with oversight from appropriate university authorities and in compliance with university policies and collective agreement requirements.
Data collected passively by electronic means may be used or correlated with other data sets to review activities of an identifiable employee under certain circumstances and for purposes listed below.
The University may use data collected by electronic means or may directly access the contents of the personally assigned account(s) and/or device(s) of an identified employee for the purpose of monitoring, evaluating, or investigating:
i. Physical security events and incidents,
ii. Cybersecurity threat detection, prevention, and response,
iii. Suspected violations of University Policy or applicable laws, or
iv. Identified concerns with employee performance, behaviour, or conduct.
The University may directly access the contents of the personally assigned account(s) and/or device(s) of an identified employee for the purpose of assuring business continuity.
Policy Review, Retention and Access
This Policy will be reviewed every five years, in accordance with university procedure, or more frequently if required by statute.
The University may amend the Policy from time to time as required by law or as it deems appropriate or necessary. If the Policy is amended, the University will provide each employee with access to or a copy of the amended Policy within 30 calendar days of the effective date of the amendment(s).
The University shall retain a copy of the Policy for three years after the Policy ceases to be in effect.
The University will provide each current employee with access to or a copy of the Policy within 30 days of its effective date.
The University will provide each employee hired after its effective date with access to or a copy of the Policy within 30 calendar days of the employee’s start date.
The University will provide assignment employees (i.e., temporary employees contracted through staffing services) with access to or a copy of the Policy within 24 hours of the start of their assignment, or within 30 days of the Policy’s effective date, whichever is later.
Related Policies, Procedures, Guidelines
Digital Information Security Policy
Cybersecurity Incident Detect and Respond Policy
Responsible use of Digital Resources Policy
Access Authorization Procedure
Refer to the university policy library for relevant employment, information technology and cybersecurity, and privacy policies.
Policies Superseded by this Policy: none
Responsible Officer (senior administrator ultimately responsible): Vice-Principal Finance and Administration
Contact: Information Security Officer
Date for Next Review (five years from initial approval): October 2027