The Complaint
1. Summary of Facts
The Complainant needed to use computer in her work, so her employer ("the Organization") arranged for her a computer ("the Computer") which could access to email and Internet service. For security purpose, the Complainant was assigned a user name and a password that was set by herself ("the Password") to log in the Computer system of the Organization. The Complainant's supervisor had asked her several times for the Password for "emergency use" of the Organization. She finally disclosed the Password to her supervisor.
The Complainant was later found by her supervisor that she used the Computer to play online games during office hours. In this connection, the Complainant's supervisor, with the consent of the Organization, logged in the Computer with the Password which was previously provided by the Complainant after she was off duty and collected her browsing data (i.e. the cookie data stored in the Computer ("the cookies")). Having learnt of the incident, the Complainant complained to the Office of Privacy Commissioner for Personal Data ("PCPD") that the Organization logged in the Computer and collected the cookies without notifying her.
In response to the Privacy Commissioner's enquiry, the Organization said that the Computer belonged to the Organization and was only provided to the Complainant for business use. Therefore, the data stored in the Computer were also owned by the Organization. The Organization had the right to log in the Computer and access the data stored in it. Moreover, the Organization believed that the Complainant's supervisor did not mean to collect the Complainant's "personal data" when accessing the data in the Computer, and the cookies were not the personal data of the Complainant. However, during the PCPD's investigation, the Organization had deleted the cookies.
2. Issue of the Case
(1) Whether the collection of the cookies by the Complainant's supervisor constituted collection of the Complainant's personal data?
(2) If the answer to (1) is "yes", whether the means of logging in the Computer and the collection of the cookies by the Complainant's supervisor without notifying the Complainant was fair? and
(3) Whether the Organization had taken all the practicable steps to ensure that the Complainant had realized the policy and practices of the Organization in respect of personal data, including whether the Organization had followed section 3.2.4 of "Privacy Guidelines: Monitoring and Personal Data Privacy at Work" ("the Guidelines") by clearly stating the conditions of use of work-related communication facilities in the Employee Monitoring Policy to enable the Complainant to respond with appropriate behaviours and followed section 3.3.1 by taking practicable steps to ensure the Complainant was aware of the policy after the policy had been put in place?
Outcome
1. Reasoning
(a) The Case Involved Collection of "Personal Data"
As cookies are only the data of a Computer concerning the website which the Computer had browsed, if a cookie does not contain any data that uniquely identifies an individual (e.g. the name of the user), the cookie itself does not satisfy the definition of personal data. In other words, to decide whether cookies in a case are personal data, it depends on whether the cookies contain any data that can identify an individual, or whether they are held or used with other personal identifying information.
The cookies in this case contained the Complainant's English name and the websites browsed by her. Obviously, the Complainant's supervisor logged in the Computer for inspection after discovering that the Complainant had played online games on the Computer. The Complainant's supervisor created files that contained the cookies recording the Complainant's browsing history and browsing time as evidence to prove that the Complainant had used the Computer for unauthorized activities. As the cookies contained English names that could identify the Complainant and the cookies were the records gathered by the Complainant's supervisor to address the Complainant's suspected breach of regulations, the Privacy Commissioner considered that the practice constituted collection of the Complainant's personal data.
(b) Collection of Personal Data by Unfair Means
Reasonable Expectation of Privacy
According to the findings of the Privacy Commissioner, the Organization had not taken any practical measures to stop or prohibit the Complainant from using the Computer for private purpose or storage of private data. In addition, the Organization allowed its employees to change passwords themselves, but they were not required to provide their passwords to their colleagues, or to inform other colleagues of their passwords upon changes. It was obvious that even if the employees of the Organization had the practice of sharing Computers and passwords, they provided their passwords to their colleagues only to facilitate their work and the Complainant should not be deprived of her reasonable expectation of privacy in using the Computer.
There was no evidence in this case showing that other staff members also had knowledge of the Complainant's Password, apart from the Complainant's supervisor. The Privacy Commissioner was of the view that in normal circumstances, the Complainant was the sole user of the Computer and other staff members would not use the Computer without notifying the Complainant.
It was apparent that the act of the Complainant's supervisor in collecting the cookies by logging in the Computer with the Password provided by the Complainant was inconsistent with the original purpose of collecting the Complainant's Password. Moreover, the need of the work or "the Organization's request" mentioned when he asked the Complainant for the Password was too general. As the cookies were not directly related to the Complainant's daily work, even if the Complainant might expect that her supervisor would log in the Computer to look for job-related data, she might not reasonably expect that her supervisor would log in the Computer with her Password to collect the cookies after she was off duty.
In view of the above, the Privacy Commissioner considered that according to the information of this case, the collection of the cookies by the Organization was not consistent with the reasonable expectation of privacy of the Complainant in using the Computer.
Alternatives
On the other hand, the Privacy Commissioner considered that unless there were special supporting grounds, data users should not collect personal data by covert means because this would seriously intrude an individual's privacy. If the Complainant's supervisor logged in the Computer in the presence of the Complainant during office hours, the purpose of checking the Computer should not be affected. In any case, there was no evidence in this case showing that the Organization had considered using other less privacy intrusive alternatives.
Conclusion
The Privacy Commissioner was of the view that the act of the Complainant's supervisor in logging in the Computer in the Complainant's absence to access the cookies with the Password obtained at "the Organization's request" was unfair collection of personal data and thus the Organization had contravened DPP1(2).
(c) Contravention of DPP5
At the time when the incident of the case occurred, there was only one brief notice in the Organization stating that the computers of the Organization could only be used for business by staff, but it did not mention that the Organization would log in employees' computers with their passwords to collect their browsing record. Furthermore, there was no information showing that the Organization had issued the relevant notice to the Complainant when she took up the post. In this connection, the Privacy Commissioner considered that the Organization had not clearly notified the Complainant of the purpose of employee monitoring, the monitoring activities that might be taken, or the use of the data collected. Therefore, the Organization had not taken steps under sections 3.2.4 and 3.3.1 of the Guidelines to ensure that the Complainant could be aware of the content of the policy.
After considering all the circumstances of this case, the Privacy Commissioner opined that the Organization had not taken all the practicable steps to ensure that the Complainant was aware of the policy and practices of the Organization on recording employees' browsing history in its computers. The Organization thus contravened DPP5.
2. Action taken by the PCPD
Regarding the Organization's contravention of DPP1(2), an enforcement notice was issued to the Organization directing it to stop using employees' passwords to log in their computers and access their browsing history, unless their prior consent was obtained.
Moreover, the Organization has put in place its monitoring and security policies and has reminded its employees of the policies. The Privacy Commissioner considered that the Organization had taken appropriate measures to ensure that its employees had realized the policy of the Organization on monitoring employees' use of Computer in Internet browsing. Therefore, there was no need to issue an enforcement notice in respect of contravention of DPP5.
3. Remedial Action by Party Complained Against
The Organization has complied with the requirements of the enforcement notice.
uploaded on web in September 2010