HomeMy WebLinkAbout2003-3957.Ng.07-12-17 Decision
Commission de
Crown Employees
Grievance Settlement
règlement des griefs
Board
des employés de la
Couronne
Suite 600 Bureau 600
180 Dundas St. West 180, rue Dundas Ouest
Toronto, Ontario M5G 1Z8 Toronto (Ontario) M5G 1Z8
Tel. (416) 326-1388 Tél. : (416) 326-1388
Fax (416) 326-1396 Téléc. : (416) 326-1396
GSB# 2003-3957, 2007-0338
UNION# 2004-0516-0001, 2005-0516-0015
IN THE MATTER OF AN ARBITRATION
Under
THE CROWN EMPLOYEES COLLECTIVE BARGAINING ACT
Before
THE GRIEVANCE SETTLEMENT BOARD
BETWEEN
Ontario Public Service Employees Union
(Ng)
Union
- and -
The Crown in Right of Ontario
(Ministry of Government Services)
Employer
BEFOREVice-Chair
Nimal Dissanayake
FOR THE UNION
Serge Linarello
Grievance Officer
Ontario Public Service Employees Union
FOR THE EMPLOYER
Jennifer Richards
Counsel
Ministry of Government Services
FINAL WRITTEN
December 13, 2007.
SUBMISSIONS
2
Decision
On September 17, 2007 I conducted a mediation-arbitration process with respect to two
grievances filed by the grievor, Ms. Flora Ng. The parties presented their respective positions
and documents were filed. However, no resolution was achieved.
In that it appeared that the pertinent facts were not in dispute, I directed the parties to
submit an agreed statement of facts and their submissions within stipulated time limits. The last
of the submissions were received on December 13, 2007.
This decision was made on the basis of the agreed statement of facts submitted by the
parties, their representations at the mediation-arbitration, and their written submissions, together
with the documents filed as appendices.
The agreed statement of facts reads as follows:
AGREED STATEMENT OF FACTS
Flora Ng Grievances
GSB #2003-3957 (PKI) and #2007-0338 (Job Switch)
Employment History
1. The Grievor commenced classified employment in the Ministry of Consumer of Business
Services on April 17, 2000 in a SO4 Senior Systems Analyst. The Grievor?s current
Appendix 1
position description report is found at .
2. As a result of a reorganization on April 2, 2002, her position (as well as her unit)
transferred to the Ministry of Labour. There were no changes to her job duties as a result
of the change in Ministry. At this time, the Grievor reported to Stephen Cox.
3. Effective April 1, 2006, the Grievor?s position and unit transferred to the Government
Services Delivery Cluster in the Ministry of Government Services. The Grievor reported
to Mr. Ed Boctor, Manager, Registration and Transactions Application until June 18,
3
2007. The Grievor now reports to Ms. Catherine Emile, Acting Manager, Registration
and Transactions Application.
PKI
4. The Ontario government?s Public Key Infrastructure (?PKI?) is an electronic security
system used to ensure employees? identities and to protect the integrity of the online
see Appendix 2
services used []. A PKI is a combination of hardware, software, people,
processes and policies that allow individuals to use online services in an environment of
trust and security. In technical terms, PKI works by using digital identity assurance and
data encryption to communicate, conduct transactions and exchange information in a
secure and confidential manner. The encryption process uses pairs of virtual electronic
keys to encode and decode information.
5. All employees in the Ontario Public Service (?OPS?) have Basic PKI assurance for
access to the Workforce Information Network (?WIN?), the government-wide integrated
human resources system, for electronic pay stubs, attendance etc. Medium Level PKI
Assurance is required to access certain online services and databases that are highly
sensitive. Medium level assurance is defined on page 2-9 of the Certificate Policy for the
see Appendix 3
Government of Ontario PKI [] The main difference is that employees are
asked to go to a Local Registration Authority (?LRA?) to authenticate their identity in
see Appendix 4
person [].
Medium Level PKI Assurance
6. PKI medium assurance authentication is required for all employees who are required to
see
log on to the Ontario Vital Statistics Improvement Project 1 (?VISION?) system [
Appendix 5
]. The fundamental objective of VISION was to enhance the security around
processing and handling of vital event information. Enhanced authentication of users of
the new VISION system was specifically identified as a key program objective. The GO-
PKI system was utilized, as the system was specifically mandated as the Government of
Ontario?s authentication solution for new systems, particularly those containing sensitive
information. Given the high sensitivity of personal information contained in VISION, a
medium level of assurance is required.
7. Employees with access to an application which requires a medium level of assurance
see Appendix 6
have to upgrade their digital identity to the medium level []. This
involves a face-to-face meeting with a LRA to revalidate their identity. Employees?
consent is obtained when they sign the GO-PKI Digital Identity Agreement Internal
see Appendix 7
Subscriber Form (?the Subscriber Agreement?) []. Section 1 and 3 of the
form are completed by the subscriber employee and section 2 of the form is completed by
an authorized LRA.
8. To be upgraded to medium level assurance, the subscriber employee must provide at least
see GO-PKI
two (2) pieces of identification during registration (originals only) [
Operating Procedures atAppendix 8, page 22
]. The two pieces of identification must
consist of:
4
A primary identification document with a document number and photo that
was issued by a government organization using a standardized process of
registration; and
An acceptable secondary identification document.
If the primary document does not contain a photograph, then a third piece of
identification is required and one of the secondary documents must contain a photograph.
9. The name and address information on the primary and secondary documents is compared
for consistency and the number on the primary document is recorded. The information
on secondary documentation is not recorded because many of the eligible documents
contain personal information that should not be recorded by an LRA, and do not include a
document number that can be recorded instead of personal information.
10. Since Subscriber Agreements contain personal information, the original agreements must
be securely stored according to the regulations under the Freedom of Information and the
Protection of Privacy Act (?FIPPA?) at the Registration Authority (?RA?) secure site
only. An RA is accountable for the rules of a specific GO-PKI enabled program within
their domain. Storage at the RA site must be locked, secure and access limited to those
individuals within the RA network who are actively taking registration information.
Individuals acting in registration positions are bound by FIPPA requirements for
confidentiality of personal information provided to them. They must not maintain
separate copies of the original Subscriber Agreements nor maintain a separate database of
see Appendix 8, page 20
the information on the subscriber forms [].
11. The GO-PKI Notice of Collection outlined on the Subscriber Agreement in dictates that,
in accordance with the Government of Ontario ? PKI Certificate Policy, the personal
information provided on the form is collected for the purpose of issuing the employee a
Digital Identity and authorizing the employee as a GO-PKI Subscriber. The information
is used to verify the employee?s identity and ensures that the Digital Identity issued
correctly identifies the employee and no one else. The completed form is transmitted to
the Ministry of Government Services, the Ministry responsible for the implementation
and management of GO-PKI.
see Appendix 8, page 14
12. There are responsibilities for all authenticating LRA?s []. For
example, LRA?s must:
Maintain the confidentiality of Subscriber identification information in
accordance with both FIPPA and the Municipal Freedom of Information and
Protection of Privacy Act;
Keep up-to-date with the current RA/LRA Operating Procedures and their role
and responsibilities under the procedures.
Protect the hardware and software components used in the performance of their
LRA function in accordance with the policy and practices of the Certificate
Authority.
5
Medium Level PKI Assurance Upgrade
13. On December 2, 2003, the Grievor?s manager, Mr. Cox, sent her an email requesting her
see Appendix 9
consent to obtain Medium Level Assurance []. At the time, the Grievor
was working on the VISION system, which handles highly sensitive and personal
information for the Office of the Registrar General.
14. After the Grievor received the request to upgrade to the medium level, she scheduled a
meeting with her manager, her OPSEU representative, Mr. Joe Kavanagh, and the Senior
Human Resources Consultant, Mr. David Carter to discuss her concerns and discomfort
seeAppendix 10
with providing the required information on December 19, 2003 [].
see Appendix
15. The Grievor filed her grievance dated January 7, 2004 (GSB #2003-3957) [
A
].
16. Following the filing of her grievance, a meeting with Mr. Kavanagh and Mr. Carter was
held to discuss the Grievor?s questions and concerns regarding Medium Level PKI
see Appendix 11
Assurance on February 13, 2004 [].
Job Switch
17. The Grievor refused to provide the required information to gain medium level PKI
assurance, and therefore was no longer able to work on the VISION system for security
reasons.
18. From February 2004 to June 2004, the Grievor worked on the Release I initiative for the
VISION application, an aspect of the VISION system which does not require Medium
Level PKI Assurance.
19. From June 2004 and June 2005, the Grievor was involved in the technical support of the
VSIS system (the system that VISION replaced) including work on the technical aspects
of the decommissioning initiative of the VSIS system. These duties did not require
Medium Level PKI Assurance.
20. On August 11, 2005, the Grievor was given the option of alternate work assignments, as
the decommissioning initiative of the VSIS system was complete and the Grievor could
no longer work on the VISION system. Mr. Boctor gave the Grievor a choice between
various assignments: Crystal Reports, Integrated Development Environment Project
(?IDE?), or common vendor tools. She declined to select any and she advised that she
would accept whatever Mr. Boctor selected. As a result, the Grievor was assigned to
work on Crystal development and support.
21. Crystal is an enterprise reporting toolkit that helps create reports in a rapid and flexible
manner. A colleague, Ms. Tuyet Ngo, was assigned to introduce the Grievor to the
Crystal system and provide her with access until she completed training on Crystal
development. She was then scheduled for a Crystal course for four (4) days starting
September 13, 2005. The Grievor attended the scheduled course.
6
see
22. On September 23, 2005, the Grievor filed a second grievance (GSB #2007-0338) [
Appendix B
].
23. The Grievor was off on sick leave from November 7, 2005 to May 3, 2006. She returned
to the workplace until June 6, 2006 at which point she went back on sick leave until
December 11, 2006.
24. Since her return from sick leave, the Grievor has continued to work with the Crystal
system on tasks that do not require Medium Level PKI Assurance.
(Appendices not reproduced)
The first grievance dated January 07, 2004 arises as a result of the employer?s request
that the grievor obtain medium level PK1 assurance as a condition of continuing to work in the
Vision system. The grievor alleges in her grievance that the request for personal information to
obtain the medium level PK1 security clearance is in violation of article 2 of the collective
agreement (The Management Rights provision).
In the second grievance dated September 23, 2005, the grievor grieves that the
employer?s action of reassigning her to less sensitive duties following her refusal to obtain the
higher level of security clearance contravenes article 2 (Management Rights) and article 3 (no
discrimination) and any other applicable statutes.
The employer has moved that the grievances be dismissed on the basis that a prima facie
breach of the collective agreement has not been established.
Having reviewed the material and the submissions before me, I find that the grievor was
not singled out for any differential treatment. All employees working on the Vision system are
required to obtain the medium level security clearance, which requires disclosure of the very
same information requested of the grievor. Similarly, it is clear that the grievor was reassigned
7
to other duties, because in the exercise of its management rights, the employer has determined
that any employee working on the vision system must have the higher level of security clearance.
The material establishes that the employer?s policy applied to the grievor was a general
one, applied to all employees working on that system. I find that the employer?s policy was
driven by legitimate business and legal considerations. There is no suggestion of bad faith. It
was a reasonable exercise of its management rights. Nor is there anything to suggest that the
grievor was discriminated against on the basis of any prohibited ground under article 3.
For all those reasons the two grievances are without any merit, and are hereby dismissed.
th
Dated this 17
day of December 2007 at Toronto, Ontario.
Nimal Dissanayake
Vice-Chairperson