Case Study: Regent Street Bank

Running head: REGENT BANK 1

Case Study: Regent Street Bank

Humber College

Marcos Cavenaghi

LAW 3001-0LA

Thursday November 6, 2014

Kerri O’Hara: 822.331.021Salima Alidina: 821.461.522Brandon Vel: 821.507.738Daniel Bozzo: 806.428.744Chris DaCosta: 822.405.841


Table of Contents

Executive Summary 3

Introduction 4

Problem Statement 5

Alternatives 6

Implementation 8

Conclusion 9

References 10


Executive Summary

Charles Landry, Chief Information Officer (CIO) of Regent Street Bank (Regent), was

considering options to implement a new software in its London, Ontario branch location due to

the recent stock trading scandal involving American celebrity, Martha Stewart. The software,

known as Topaz, was designed to scan e-mail communications to identify keywords, phrases,

and sentences that were considered inappropriate. Through a screening process, these

communications would then be archived in a central database for later review and human

analysis.

The issue: routine searches had the potential to screen e-mail communications that may also

contain sensitive and personal information about an employee and/or customer. Upon human

analysis, a manager whose duty it would be to address the employee with the situation may then

have a biased opinion of the matter (whether intentional or not) after reviewing that individual’s

personal information.

Our proposed solution: implementing an alternative for employees to redeem themselves if

suspected of breaching company privacy through Topaz software.

This would be optimal in comparison to the other alternatives provided, in that, liability of

confidentiality breaches are minimized on behalf of the employer and the employee.


Introduction

In Canada we have two federal laws which protect our privacy - The Privacy Act which deals

with the personal information-handling of the federal government and the Personal Information

Protection and Electronic Documents Act (PIPEDA) is the private sector privacy law (PIPEDA

Fact Sheet, 2014). PIPEDA provides rules for how businesses can legally collect and/or use

employees personal information as this collection of information is necessary in many

organizations; it is important that the individuals privacy remains protected (PIPEDA Fact Sheet,

2014). Personal information is defined as any information about an individual which includes:

age, income, gender, employee files and more (PIPEDA Fact Sheet, 2014). Information which

does not constitute personal information is an employee’s name, title, and place of business,

using personal information for personal reasons, as well as Provincial or territorial governments

and agents of the crown in right of a province (PIPEDA Fact Sheet, 2014). Under PIPEDA,

personal information must be collected with consent and reasonable purpose, accurate, stored

securely, accessible, and used and disclosed for the purpose of it being collected (Mark, 2009).

In this case, the Regent Street Bank, who employs 15,000 employees nationwide, wanted to

ensure that their employees were acting appropriately (Mark, 2009). Since the Tournier case of

1924 where an employee disclosed personal information and lost his job as a result, banks now

have strict privacy policies to protect their customers’ information (Mark, 2009). Seeing as

customer privacy was properly protected, the focus then turned to employee privacy. As part of

Regent’s Principles of Business Conduct, employees email and voice messages could be

monitored by Regent (Mark, 2009). In order to confirm that employees were not acting

inappropriately, a software called Topaz, screened and archived email messages in a database

where certain words and sentences were screened out and if anything was flagged, this would be

sent for human analysis (Mark, 2009). In regards to telephone calls, call centres recorded the

conversations (Mark, 2009). Although these measures are put in place to ensure that employees

are not breaching any sensitive information, employees may have concern towards the possibility

of their personal information being flagged in a message.


Problem

The central issue in the case is whether the private information that is being read and digested by

the manager while reviewing the flagged messages is expected to be erased from his or her

memory (Mark, 2009). When the routine searches flag email messages that also contain

employees’ personal information, it will directly breach their privacy under PIPEDA. This major

problem causes security and privacy issues amongst Regent Street Bank employees. It will allow

the managers of the bank to gain access to the employees’ personal emails, along with the private

information that is contained within them. Furthermore, they will be able to see customers’

personal information that should be protected under PIPEDA. This goes against ‘Privacy

Principle 3 – Consent under PIPEDA whereby “the knowledge and consent of the individual are

required for the collection, use, or disclosure of personal information, except where

inappropriate” (Privacy Commissioner of Canada, 2011). When the employees or customers

provided this information they only gave consent for the purpose that it was initially being used

for and not for the managers to be able to look at it because the message got flagged.

The Topaz software will also bring a lot of ethical issues into the company such as reading

personal e-mails and having biased opinions because of those messages. This leads to the

question, should the managers be able to read through an employee’s personal information just

because Topaz flagged a word in the email that it deemed as a security issue?

By the managers reading these e-mails it could lead to them reading information about a private

matter, which could make them have a biased opinion about that employee. This could

potentially lead to the employee getting fired or demoted simply because the manager read

something that he or she did not agree with, even though it had nothing to do with the bank or a

breach in security. With sensitive information about the employees that do not affect the

manager or the bank it should be protected by the PIPEDA ‘Privacy Principle 7 –Safeguards’ in

which “personal information shall be protected by security safeguards appropriate to the

sensitivity of the information” (Privacy Commissioner of Canada, 2011), but this law is not

being abided by with the use of the Topaz software.


Alternatives

The breach of privacy within the industry lead us to these alternatives that could aid the proposed

software implementation by Regent Bank:

The first alternative that can aid in protecting a company from digital espionage would be

implementing a third party that is responsible for human analysis of Topaz-flagged

communication. This alternative can prevent conflict of interest for the employee and manager,

and can prevent personal issues between the two parties. With a third party involved, the

monitoring is done through a separate entity and can ensure that employees are made aware of

any privacy acts breached within the digital forms that are screened. A third party company is

able to ensure that all emails are screened through the company, however, mistakes are made by

humans and computers, which can result in a breach of privacy for the company. The third

party’s team and technology could pass the screening process and may not catch that privacy has

been breached within the company.

A second alternative that Topaz could implement is providing a manager that the employee does

not report directly too. This alternative can also avoid conflict of interest between the two

parties; employees are then protected and the managers are able to proceed with their duties. The

outside manager can report to the employee directly to avoid the employee’s manager whom

they work directly with. This alternative will prevent the manager from directly approaching the

employee whom they work with, however, implementing a manager hired specifically to take

care of these situations may breach their privacy by telling others about the situation that may

have occurred. This manager would then be breaching the confidentiality of the employee by

telling others about the situation and the manager’s job itself, which entails trust, values, and

honesty.

As a third option, Regent Bank could also implement an alternative such as giving employees the

opportunity to redeem themselves through the Topaz software. If an employee sent out an email

that has breached the privacy of Topaz, a database would capture this breach and bounce the

email back to the employee to give them a chance for redemption. If Topaz gives employees the


redemption stage within the screening process of all emails sent from within the company,

employees could have a better advantage and prevent them from any disciplinary action. Though

employees could receive a second chance by implementing this system within the company, a

downside to this alternative could be that employees may always feel entitled to the second

chance. Another issue with this alternative could be the database not capturing all of the privacy

breaches; this would fail to give the employees a second chance to redeem themselves.

Lastly, as our fourth alternative, eliminating the use of Wi-Fi at work involving personal emails

and making personal phone calls could prevent digital espionage; it protects the interests of the

company. If this alternative is implemented, Topaz would increase security of computers within

the company in order to prevent any breaches of privacy. This in turn will prevent the

conversation between the employee and the manager, and could avoid the conflict of interest

altogether. Employees may have mixed feeling about this alternative, and therefore may resort to

their cellular device to communicate during working hours.

We have provided four alternatives that may solve the privacy issue at large. What follows is our

proposed solution and implementation.


Implementation

The optimal alternative to the issue at hand would be implementing a database in charge of

flagging emails deemed as inappropriate to the workplace and returning e-mail messages back to

the sender. The Topaz database is specific to the company and traffics all emails through a

software in which the writings would be scanned and processed. This would eliminate likely

candidates of breached privacy among the employees of Regent Street Bank as the user can

clearly see where in their email it was flagged without sending it on to the next user.

In order to implement this tactic, Topaz would have to collaborate with IT to alter the software

that is provided for Regent. Alternatively, this monitoring software can be modified to evaluate

employee e-mails, flag the misconducts and be sent back without the review of Regent

executives to take disciplinary actions.

This database would work much like Turnitin.com in that the document/email is submitted

through the server and is evaluated given a percentage of how much of the document/email is

flagged as plagiarism or privacy breaching and where it is doing so. Furthermore, the software

prompts the user of whether or not they would like to continue with submitting their

document/email after they make changes. Regent Street Bank executives must collaborate with

their employees to implement this “two-strike strategy” and come to the agreement of fair chance

for redemption of breaching the personal use of Regent property.

Relating to the suggested alternatives, this option deems most optimal as it is a mutual advantage

to both Regent executives as well as employees. This alternative directly addresses the issue of

the use of Regent property while allowing employees the opportunity to avoid disciplinary

action. Additionally, employing a third-party manager or eliminating the use of Wi-Fi are all

possibilities in which either the managers or the employees are given fair action.


Conclusion

Regent Street Bank has clearly indicated and justified their need for increased security measures

within the company to prevent digital espionage. There was however, concern among employees

that the implementation of the Topaz software contradicts their basic right to privacy under

section 3 – Consent under PIPEDA (Privacy Commissioner of Canada, 2011). Although the need

for this new software implementation is necessary and requires consent from all employees to

remain working under Regent, the method by which the company went about it did not consider

employer-employee privacy/confidentiality equality. That said, our proposed solution –

implementing an alternative for employees to redeem themselves if suspected of breaching

company privacy through Topaz software – would be optimal in comparison to the other

alternatives provided, in that, liability of confidentiality breaches are minimized on behalf of

both parties.


References

1. Fact Sheets. Office of the Privacy Commissioner of Canada. Retrieved November 4,

2014 from https://www.priv.gc.ca/resource/fs-fi/02_05_d_16_e.asp

2. Mark, K. (2009). Regent street bank. Ivey Publishing, 1-7.

3. Privacy Commissioner Of Canada. (2011, September 16). Privacy principles. Retrieved

from Office of The Privacy Commissioner of Canada website:

https://www.priv.gc.ca/leg_c/p_principle_e.asp

Law

Case Study: Regent Street Bank