Upload
chris-dacosta
View
18
Download
6
Embed Size (px)
Citation preview
Running head: REGENT BANK 1
Case Study: Regent Street Bank
Humber College
Marcos Cavenaghi
LAW 3001-0LA
Thursday November 6, 2014
Kerri O’Hara: 822.331.021Salima Alidina: 821.461.522Brandon Vel: 821.507.738Daniel Bozzo: 806.428.744Chris DaCosta: 822.405.841
Running head: REGENT BANK 2
Table of Contents
Executive Summary 3
Introduction 4
Problem Statement 5
Alternatives 6
Implementation 8
Conclusion 9
References 10
Running head: REGENT BANK 3
Executive Summary
Charles Landry, Chief Information Officer (CIO) of Regent Street Bank (Regent), was
considering options to implement a new software in its London, Ontario branch location due to
the recent stock trading scandal involving American celebrity, Martha Stewart. The software,
known as Topaz, was designed to scan e-mail communications to identify keywords, phrases,
and sentences that were considered inappropriate. Through a screening process, these
communications would then be archived in a central database for later review and human
analysis.
The issue: routine searches had the potential to screen e-mail communications that may also
contain sensitive and personal information about an employee and/or customer. Upon human
analysis, a manager whose duty it would be to address the employee with the situation may then
have a biased opinion of the matter (whether intentional or not) after reviewing that individual’s
personal information.
Our proposed solution: implementing an alternative for employees to redeem themselves if
suspected of breaching company privacy through Topaz software.
This would be optimal in comparison to the other alternatives provided, in that, liability of
confidentiality breaches are minimized on behalf of the employer and the employee.
Running head: REGENT BANK 4
Introduction
In Canada we have two federal laws which protect our privacy - The Privacy Act which deals
with the personal information-handling of the federal government and the Personal Information
Protection and Electronic Documents Act (PIPEDA) is the private sector privacy law (PIPEDA
Fact Sheet, 2014). PIPEDA provides rules for how businesses can legally collect and/or use
employees personal information as this collection of information is necessary in many
organizations; it is important that the individuals privacy remains protected (PIPEDA Fact Sheet,
2014). Personal information is defined as any information about an individual which includes:
age, income, gender, employee files and more (PIPEDA Fact Sheet, 2014). Information which
does not constitute personal information is an employee’s name, title, and place of business,
using personal information for personal reasons, as well as Provincial or territorial governments
and agents of the crown in right of a province (PIPEDA Fact Sheet, 2014). Under PIPEDA,
personal information must be collected with consent and reasonable purpose, accurate, stored
securely, accessible, and used and disclosed for the purpose of it being collected (Mark, 2009).
In this case, the Regent Street Bank, who employs 15,000 employees nationwide, wanted to
ensure that their employees were acting appropriately (Mark, 2009). Since the Tournier case of
1924 where an employee disclosed personal information and lost his job as a result, banks now
have strict privacy policies to protect their customers’ information (Mark, 2009). Seeing as
customer privacy was properly protected, the focus then turned to employee privacy. As part of
Regent’s Principles of Business Conduct, employees email and voice messages could be
monitored by Regent (Mark, 2009). In order to confirm that employees were not acting
inappropriately, a software called Topaz, screened and archived email messages in a database
where certain words and sentences were screened out and if anything was flagged, this would be
sent for human analysis (Mark, 2009). In regards to telephone calls, call centres recorded the
conversations (Mark, 2009). Although these measures are put in place to ensure that employees
are not breaching any sensitive information, employees may have concern towards the possibility
of their personal information being flagged in a message.
Running head: REGENT BANK 5
Problem
The central issue in the case is whether the private information that is being read and digested by
the manager while reviewing the flagged messages is expected to be erased from his or her
memory (Mark, 2009). When the routine searches flag email messages that also contain
employees’ personal information, it will directly breach their privacy under PIPEDA. This major
problem causes security and privacy issues amongst Regent Street Bank employees. It will allow
the managers of the bank to gain access to the employees’ personal emails, along with the private
information that is contained within them. Furthermore, they will be able to see customers’
personal information that should be protected under PIPEDA. This goes against ‘Privacy
Principle 3 – Consent under PIPEDA whereby “the knowledge and consent of the individual are
required for the collection, use, or disclosure of personal information, except where
inappropriate” (Privacy Commissioner of Canada, 2011). When the employees or customers
provided this information they only gave consent for the purpose that it was initially being used
for and not for the managers to be able to look at it because the message got flagged.
The Topaz software will also bring a lot of ethical issues into the company such as reading
personal e-mails and having biased opinions because of those messages. This leads to the
question, should the managers be able to read through an employee’s personal information just
because Topaz flagged a word in the email that it deemed as a security issue?
By the managers reading these e-mails it could lead to them reading information about a private
matter, which could make them have a biased opinion about that employee. This could
potentially lead to the employee getting fired or demoted simply because the manager read
something that he or she did not agree with, even though it had nothing to do with the bank or a
breach in security. With sensitive information about the employees that do not affect the
manager or the bank it should be protected by the PIPEDA ‘Privacy Principle 7 –Safeguards’ in
which “personal information shall be protected by security safeguards appropriate to the
sensitivity of the information” (Privacy Commissioner of Canada, 2011), but this law is not
being abided by with the use of the Topaz software.
Running head: REGENT BANK 6
Alternatives
The breach of privacy within the industry lead us to these alternatives that could aid the proposed
software implementation by Regent Bank:
The first alternative that can aid in protecting a company from digital espionage would be
implementing a third party that is responsible for human analysis of Topaz-flagged
communication. This alternative can prevent conflict of interest for the employee and manager,
and can prevent personal issues between the two parties. With a third party involved, the
monitoring is done through a separate entity and can ensure that employees are made aware of
any privacy acts breached within the digital forms that are screened. A third party company is
able to ensure that all emails are screened through the company, however, mistakes are made by
humans and computers, which can result in a breach of privacy for the company. The third
party’s team and technology could pass the screening process and may not catch that privacy has
been breached within the company.
A second alternative that Topaz could implement is providing a manager that the employee does
not report directly too. This alternative can also avoid conflict of interest between the two
parties; employees are then protected and the managers are able to proceed with their duties. The
outside manager can report to the employee directly to avoid the employee’s manager whom
they work directly with. This alternative will prevent the manager from directly approaching the
employee whom they work with, however, implementing a manager hired specifically to take
care of these situations may breach their privacy by telling others about the situation that may
have occurred. This manager would then be breaching the confidentiality of the employee by
telling others about the situation and the manager’s job itself, which entails trust, values, and
honesty.
As a third option, Regent Bank could also implement an alternative such as giving employees the
opportunity to redeem themselves through the Topaz software. If an employee sent out an email
that has breached the privacy of Topaz, a database would capture this breach and bounce the
email back to the employee to give them a chance for redemption. If Topaz gives employees the
Running head: REGENT BANK 7
redemption stage within the screening process of all emails sent from within the company,
employees could have a better advantage and prevent them from any disciplinary action. Though
employees could receive a second chance by implementing this system within the company, a
downside to this alternative could be that employees may always feel entitled to the second
chance. Another issue with this alternative could be the database not capturing all of the privacy
breaches; this would fail to give the employees a second chance to redeem themselves.
Lastly, as our fourth alternative, eliminating the use of Wi-Fi at work involving personal emails
and making personal phone calls could prevent digital espionage; it protects the interests of the
company. If this alternative is implemented, Topaz would increase security of computers within
the company in order to prevent any breaches of privacy. This in turn will prevent the
conversation between the employee and the manager, and could avoid the conflict of interest
altogether. Employees may have mixed feeling about this alternative, and therefore may resort to
their cellular device to communicate during working hours.
We have provided four alternatives that may solve the privacy issue at large. What follows is our
proposed solution and implementation.
Running head: REGENT BANK 8
Implementation
The optimal alternative to the issue at hand would be implementing a database in charge of
flagging emails deemed as inappropriate to the workplace and returning e-mail messages back to
the sender. The Topaz database is specific to the company and traffics all emails through a
software in which the writings would be scanned and processed. This would eliminate likely
candidates of breached privacy among the employees of Regent Street Bank as the user can
clearly see where in their email it was flagged without sending it on to the next user.
In order to implement this tactic, Topaz would have to collaborate with IT to alter the software
that is provided for Regent. Alternatively, this monitoring software can be modified to evaluate
employee e-mails, flag the misconducts and be sent back without the review of Regent
executives to take disciplinary actions.
This database would work much like Turnitin.com in that the document/email is submitted
through the server and is evaluated given a percentage of how much of the document/email is
flagged as plagiarism or privacy breaching and where it is doing so. Furthermore, the software
prompts the user of whether or not they would like to continue with submitting their
document/email after they make changes. Regent Street Bank executives must collaborate with
their employees to implement this “two-strike strategy” and come to the agreement of fair chance
for redemption of breaching the personal use of Regent property.
Relating to the suggested alternatives, this option deems most optimal as it is a mutual advantage
to both Regent executives as well as employees. This alternative directly addresses the issue of
the use of Regent property while allowing employees the opportunity to avoid disciplinary
action. Additionally, employing a third-party manager or eliminating the use of Wi-Fi are all
possibilities in which either the managers or the employees are given fair action.
Running head: REGENT BANK 9
Conclusion
Regent Street Bank has clearly indicated and justified their need for increased security measures
within the company to prevent digital espionage. There was however, concern among employees
that the implementation of the Topaz software contradicts their basic right to privacy under
section 3 – Consent under PIPEDA (Privacy Commissioner of Canada, 2011). Although the need
for this new software implementation is necessary and requires consent from all employees to
remain working under Regent, the method by which the company went about it did not consider
employer-employee privacy/confidentiality equality. That said, our proposed solution –
implementing an alternative for employees to redeem themselves if suspected of breaching
company privacy through Topaz software – would be optimal in comparison to the other
alternatives provided, in that, liability of confidentiality breaches are minimized on behalf of
both parties.
Running head: REGENT BANK 10
References
1. Fact Sheets. Office of the Privacy Commissioner of Canada. Retrieved November 4,
2014 from https://www.priv.gc.ca/resource/fs-fi/02_05_d_16_e.asp
2. Mark, K. (2009). Regent street bank. Ivey Publishing, 1-7.
3. Privacy Commissioner Of Canada. (2011, September 16). Privacy principles. Retrieved
from Office of The Privacy Commissioner of Canada website:
https://www.priv.gc.ca/leg_c/p_principle_e.asp