Queen’s Faculty Grievance Wins Partial Ruling on Security Software

An arbitrator has partially upheld a grievance from the Queen’s University Faculty Association (QUFA) concerning a new mandate requiring faculty to install third-party security software on their work devices. The ruling, issued by arbitrator William Kaplan on November 7, 2025, follows a hearing held in Kingston on November 4, 2025, and directs Queen’s University to make significant changes regarding device reimbursement and cybersecurity protocols.

The grievance was initiated after the university administration implemented a rule necessitating faculty members to install Microsoft Defender for Endpoint (MDE) and Microsoft Intune on any device they use for work, including computers, tablets, and smartphones. QUFA contended that the policy was unreasonable and breached academic freedom and privacy rights. They argued that it lacked transparency and failed to involve meaningful consultation with faculty, which they claimed contradicted several articles of the Collective Agreement, including provisions related to discipline and privacy.

QUFA also highlighted that the administration acknowledged the need for further work to enhance transparency and informed consent but proceeded with the new rule regardless. The association expressed concerns that the policy disregarded the unique privacy requirements within a university environment, where the free exchange of ideas is paramount. They emphasized that faculty members have a reasonable expectation of privacy on any device utilized for work, irrespective of ownership.

In a crucial aspect of his ruling, Kaplan mandated that all faculties and departments at Queen’s reimburse faculty for device purchases, including mobile phone upgrades, through existing professional expense accounts. This ruling applies to term adjunct faculty as well, ensuring they receive reimbursements promptly once the necessary forms are submitted. Additionally, term adjuncts not using university-funded devices cannot be compelled to install MDE or Intune, allowing them to access university systems using alternative security measures such as multi-factor authentication.

The decision also establishes a new Standing Joint Committee on Technology (SJCT), which will consist of three QUFA-appointed faculty members, the University’s Chief Information Officer, and two representatives appointed by the Queen’s Provost. This committee is tasked with addressing technology issues impacting working conditions, meeting quarterly starting in January 2026. One of its initial responsibilities will be to review the university’s Endpoint Protection FAQ page to ensure clarity and accuracy.

Queen’s University is now required to inform affected term adjuncts about the altered requirements and to update its website accordingly. Furthermore, the university must provide the committee with a detailed written report every quarter, outlining all detected security threats that necessitate action. This report is expected to offer complete transparency regarding the nature of each threat and the university’s response.

In a bid to facilitate effective communication, Queen’s Information Technology Services must conduct in-person information sessions for QUFA members at least four months prior to the introduction of any significant technological changes. These sessions must foster meaningful dialogue and allow for questions. The ruling also mandates that all notable technology changes be discussed at both the SJCT and the Joint Committee to Administer the Agreement (JCAA).

Kaplan has ordered Queen’s to consult with QUFA before finalizing key policies, including the Exceptional Access Authorization Procedure and the Cybersecurity Policy for Faculty. Additionally, consultation is required prior to the renewal of the Electronic Monitoring Transparency Policy in 2027. Within 30 days, both parties must work together to agree on an external provider to conduct a new privacy impact assessment of the software in the Endpoint system. Should they fail to reach an agreement, Kaplan will select the provider from a list proposed by both sides. The assessment will focus on safeguarding personal, research, and intellectual property data, with results to be shared with QUFA for consultation on any recommended changes.

Kaplan concluded his ruling by stating that he will remain “seized” of the matter, indicating his ongoing involvement in resolving any disputes related to the implementation of his decision.

In response to the ruling, a university spokesperson expressed satisfaction, stating, “Queen’s is satisfied with the outcome of the Endpoint Protection grievance as it enables the university to maintain an EP program to safeguard university IT systems. The university is adjusting the implementation of EP on some personal devices used to access our systems to comply with the decision of the arbitrator.” Further information and a list of Frequently Asked Questions about Endpoint Protection are available on the Queen’s IT Services website.