Inadequate legal protection for privacy in the workplace is a threat to academic freedom, privacy-law experts Valerie Steeves and Eugene Oscapella warned CAUT delegates in a special session at CAUT's November Council meeting.

Steeves, who teaches law at Carleton, and Oscapella, an Ottawa lawyer who teaches at the University of Ottawa, warned that employers have the capacity to view, copy and save any data files that are created or viewed on employees' computers if employees are using the employer's system. In most cases, collective agreements and privacy policies in place at universities do not deal with this effectively.

Because computers are widely used for storing teaching material and research data and records, access to personal computers by university and college administrators, ostensibly for the purpose of ensuring a safe and effective operating system, may be viewed by academic staff as constituting a breach of their academic freedom, a breach of copyright, and a breach of their confidentiality agreements with research subjects.

Since universities are not government actors and therefore are not subject to the Canadian Charter of Rights and Freedoms, they are not required to comply with the Charter protection from unreasonable search and seizure. While the police cannot legally enter an academic workplace without the university's permission and search and seize university property (including electronic files), the university administration is not prohibited from using technological tools to search, copy or make other use of academics' data and files if the data and files are deemed to be university property. In the absence of collective agreement language to the contrary, the use of university computer systems, including Internet access, could result in the data and files being considered university property.

Steeves said that while some universities profess to subscribe to fair information practice principles developed by the U.S. Federal Trade Commission in its report to Congress in 1998, the commitment to respect these practices is unenforceable if breached.

The widely-accepted principles concerning fair information practices include a commitment to the following principles governing the use of personal information: notice/ awareness - data collectors must disclose their information practices before collecting personal information from users; choice/consent - users must be given options with respect to whether and how personal information collected from them may be used for purposes beyond which the information is provided; access/ participation - users should be able to access and to contest the accuracy and completeness of the data collected about them; and, integrity/ security - data collectors must take reasonable steps to ensure the information collected from users is accurate and secure from unauthorized use. Missing from this list is an enforcement mechanism to ensure compliance with the principles.

In a second panel, CAUT chief negotiations officer Neil Tudiver highlighted the weakness in most collective agreement language protecting privacy. As well, Tony Joniec and Patrick Valade, of the Ottawa-based network integration firm BridgeTech Systems, described information technology common in the workplace and the risks inherent in protecting electronic files from incursions. The panellists agreed that while e-mail can be protected by using virus protection and encryption technology, use of the latter is limited where the recipient does not have the same technology in place to decode the messages.

Tudiver said strong contract language is particularly important in light of Oscapella's warning about the growing attack on privacy rights, especially in the U.S. With Canada's declared commitment to strengthening its relationship with the U.S., there is every likelihood that already limited privacy rights will be reduced in the name of security.

Oscapella pointed to the imminent creation of a super database in the U.S. following the adoption of the new Homeland Security Act. Reports in the Globe and Mail and the New York Times tell of how the U.S. is creating a "data warehouse" of information on individuals, which include surveillance of credit card purchases, Internet uses, banking and medical records, and telephone conversations.

CAUT president Victor Catano noted universities in the U.S. are not far behind the government, in acting intrusively to promote security.

According to correspondence he's seen circulating among chairs of psychology departments, some American universities are requiring staff and students to have identification tags if they want to be on university property.

But government is not the only "big brother" watching you.

Steeves says corporations which provide licenses to university libraries for use of their databases often require that users provide personal information to the licensor. Information collected may be sold to other interested parties, including a future government conducting surveillance for the declared purpose of public security in our post-Sept. 11 world.

Oscapella noted that he and Steeves had worked for more than two years with a Canadian senator to develop a privacy charter for Canada. But the bill died on the order table and has not been revived.

"Academics who take their commitment to academic freedom and freedom of expression seriously should see this as the time to take action to secure privacy protections both within their academic institutions and in the larger society," said CAUT legal counsel Rosemary Morgan, who chaired the privacy panel. "That means negotiating tough language in collective agreements and pressing politicians for protections in law."

CAUT will be issuing a bargaining advisory on privacy in early 2003 to assist local associations in developing appropriate privacy protections for their members.