Electronic Monitoring Policy
- Related Documents: Acceptable Use of Information Technology Policy, Workplace Civility and Respect Policy, Information Classification Standard and Handling Guidelines, Information Protection Policy, Information Protection and Access - Restricted Information Policy, Information Protection and Providing Access to Restricted Information Procedure (Privacy Procedure), Records Management Policy, CCS Access Control Standard, Glossary, CCS IT Security website, Minimum Cybersecurity Controls, Records Retention Schedule, Notice of Collection
- Owner: Vice President, Administration and Operations
- Approver: President
- Approval Date: October 11, 2022
- Next Review Date: October 11, 2025
I. Introduction and Purpose
The Ontario Employment Standards Act, 2000 requires organizations with 25 or more employees to have a written policy with respect to the electronic monitoring of employees.
Electronic Monitoring, such as the use of pass cards, firewalls, and two-factor authentication, is utilized across the University for a variety of purposes, including but not limited to enabling the University to meet its obligation to maintain a safe and secure environment for students, staff, faculty, and visitors. The University values privacy and is committed to transparency with regard to the instances where Electronic Monitoring of its Employees may arise.
The purpose of this Electronic Monitoring Policy (the “Policy”) is to provide a vehicle for the disclosure of the circumstances in which an Employee may be Electronically Monitored, and the purposes for which the University may use the information obtained through Electronic Monitoring in accordance with the Ontario Employment Standards Act, 2000.
II. Application and Scope
This Policy applies to all Employees of the University.
This Policy does not provide Employees any new rights or right to not be Electronically Monitored. Nothing in this Policy affects or limits the University’s ability to conduct Electronic Monitoring, or use information obtained through Electronic Monitoring.
Nothing in this Policy is intended to amend or supersede any grievance procedure or other aspect of any applicable collective agreement, or other University policies and procedures.
For the purposes of this Policy:
“Electronic Monitoring” means the monitoring of Employees using electronic tools, devices, or software to collect, analyze, or retain data on Employee activities or physical locations.
“Employee” means an individual who is considered employed by the University under the Ontario Employment Standards Act, 2000 or any successor legislation.
“Personal Information” means information about an identifiable individual as defined in the Freedom of Information and Protection of Privacy Act (Ontario).
“University” means Toronto Metropolitan University.
- The University uses various forms of Electronic Monitoring in different circumstances and for different purposes. The University may use Electronic Monitoring to actively and intentionally track activity or location in real-time or close proximity to the time of collection. The University may also use Electronic Monitoring passively, involving the collection, analysis and/or retention of data that is not actively monitored.
- The University shall publish as an Appendix to this Policy a summary of how and in what circumstances the University may employ Electronic Monitoring, and shall update the Appendix no less frequently than annually.
- Nothing in this Policy affects or limits the University’s ability to conduct Electronic Monitoring or use information obtained through Electronic Monitoring, including, but not limited, to the University’s right to collect, use, and disclose such information for the following purposes:
- To ensure the safety and security of University premises and University networks and systems;
- To assure the safety, security, and comfort of University community members within physical spaces on University premises, and other related uses deemed appropriate and necessary;
- To assure the availability, integrity, and confidentiality of digital assets and resources connected to the University network or otherwise provided by the University, and for other related uses deemed appropriate and necessary;
- To enable authorized staff to monitor and maintain University systems and facilities, including during the course of undertaking routine communications, system tasks, and maintenance;
- Where there is reasonable suspicion that individuals are storing, transmitting, or transferring communications and/or data that are in breach of University policies or applicable law;
- To enable an Employee to undertake and fulfill their assigned job duties.
- In addition to the purposes published by the University in section 4, the University may use Electronic Monitoring for the purposes of monitoring, evaluating, or investigating Employee performance, behavior, conduct, and related matters, and reserves the right to use data collected from Electronic Monitoring for labour and employment-related purposes including to investigate or issue an Employee discipline, up to and including termination of employment.
- The University’s use of any Electronic Monitoring for employment-related purposes is subject to any rights an Employee may otherwise have per their employment contract, collective agreement, under other applicable University policies and procedures, or otherwise at law.
V. Posting, Notice, and Retention
The University shall provide all Employees with access to or a copy of this Policy within 30 calendar days of implementation, and shall provide new Employees with access to or a copy of this Policy within 30 calendar days of the Employee commencing employment with the University.
This Policy may be amended from time to time in the University’s sole discretion. In the event that the University amends this Policy, the University shall provide an amended copy of the Policy to Employees within 30 days of the changes being made.
The University shall retain a copy of this Policy and any revised version of this Policy for a period of three (3) years after it ceases to be in effect.
This Policy falls under the jurisdiction of the Vice-President, Administration and Operations who is responsible for the interpretation and application of this Policy, and the creation of such procedures and guidelines as necessary or desirable to give effect to this Policy.
Toronto Metropolitan University
Electronic Monitoring Technologies in the Workplace
Absolute Resilience (continuous): Software on all CCS Lab/PT computers and if selected by departments when ordering staff/faculty computers. It tracks Location, Network, Hardware, and software details and aids in the recovery and/or remote wipe of a lost or stolen device.
Application Firewall (on login): An application firewall is used to tailor more application-specific logging and security controls unique to the application for improved security and audit trail purposes.
D2L (on use): D2L Applications and sites on the D2L platform may be configured to retain activity and audit logs.
Document Management Systems (on use): May be used to track access to and activity in specific electronic documents, records and files
Electronic key lock box (Facilities Management) (on use): Individual OneCard access to lock box is logged when keys are removed and returned.
Email (on use): Email servers, including Gmail, retain logs of email communications.
Email filtering (continuous): Software scans all messages sent or received by addresses within the University’s domain for malicious content.
Endpoint threat detection and response protection tools (continuous): Monitors the use of workstations and servers (programs run, files read and written, etc.) and compares it against a baseline to detect abnormalities and potential unauthorized use.
Firewalls/VPN (continuous): Network security programs and tools to control access of University systems and resources. Systems collect and retain logs of network connections, including connections from the internet to digital assets and resources on the network, connections from devices on the network to websites and other resources on the internet, and connections between devices on the network. Automated analysis of network connections and the content thereof is performed to prevent exposure to known cybersecurity threats. Data collected by Firewalls may be correlated with other data sets to monitor the activities of an identifiable person or persons.
Google Applications (on use): Applications are capable of accessing system information, as well as all information and data stored and communicated through I.T. resources. For example, all email communications, instant messages and facsimiles that are sent through Employer-owned networks, equipment, or user accounts are automatically logged, and at any time, are subject to monitoring and audit to ensure appropriate usage. This may include personal email accounts when those accounts are accessed through Employer-owned I.T. assets.
Identity Access & Management System and Active Directory (on login): Systems record data on authentication attempts to digital assets and resources. System logs capturing user account name, IP address, for cyber security and systems access control.
Internet traffic monitoring and filtering (continuous): Software logs and triggers events for web & network traffic.
LabStats (on login): Track software and computer usage for Lab & classroom podium computers. Realtime access to what is being used to gauge system performance and assist in resource management.
OneCard access (on use): Electronic sensor creates a record each time an authorized user scans their key fob and enters the University’s premises.
Packet Capturing Device (continuous): Capturing network traffic and application data packets.
Phone System (on use): The phone system keeps logs of the username, IP address, caller number, date/time of the call, copy of voice messages, building name & building address for 911 calls, and voice recording for help desk & Service Hub agents.
Project and Contact Management Software (on use): Project management software may be used by University units and departments to manage activity on projects
Repair and Help Desk ticketing systems (on use): Software systems are used to create service tickets that track the user's name, department, email, phone number and the nature of the issue or concern that initiated the service call. This may include the description of users’ activities on their computers leading up to the problem event to enable service and problem management. The systems track responses by relevant staff to the issues raised.
SCCM / Intune (continuous): Hardware and software information on users’ devices to enable device management for CCS supported staff & faculty computers.
Security Awareness Training System (on use): The system tracks the user name, IP address, date & time the user responds to the email, and the action the user takes. It includes opening the simulated phishing email, clicking on the embedded hyperlink in the phishing email, downloading the attached file, and forwarding the simulated phishing email to the spam filter. Cyber security awareness training.
Security Information Event Management (continuous): Network and server logs collected and correlated for specific use cases to trigger suspicious or unauthorized system events.
Video (CCTV)/audio surveillance/monitoring (continuous): Cameras record video footage of specific areas within the University’s facilities to ensure that members of the University community and visitors are provided with a safe and secure environment, as well as to ensure that assets are kept secure from theft, vandalism, and other forms of misconduct.
Web analytics (continuous): website traffic reports collected for Adobe AEM websites [torontomu.ca, individual sub-sites on on AEM Author production via tracking code placed in the Global Inherited content level via Cloud Services via public web pages and also via TouchUI consoles in AEM Author].
Website/web application monitoring (continuous): All website and web applications may configure to log users' activities for security, troubleshooting, and application functional purposes. It may track usernames, system activities, IP addresses, login, and log-out date/time.
Wireless Access Points (continuous): Logging on-campus user device authentications, web traffic, network traffic and approximate device locations.
Hoteling (on use): Software used to create bookings for workspaces on campus. The system tracks the user's name, department, email, phone number (optional), the specific space they will be occupying and the time and date they will be occupying it. Some departments may activate the check-in feature in order to automatically release booked workstations that are not in use.
Appendix last updated on November 6, 2023