Anyone who has paid even casual attention to the news during the past decade will be aware that stories about privacy — especially those relating to privacy breaches or other privacy-related transgressions — have become commonplace.
A contributing factor in many of these incidents has been inadequate staff training concerning privacy and data security.
Employers keen to stay on top of the issue should consider an in-house privacy training program. And one of the first steps to take down that road is answering the question “Who should be trained?” Then attention can turn to the type of training needed, how frequently it should be delivered and how the benefits can be assessed and effectively reinforced.
There are an increasing number of federal, provincial and territorial privacy laws in Canada that govern dealings with personal information or personal health information by private, public, health and non-governmental sector entities — though they vary depending on the sectoral and jurisdictional settings.
Some Canadian privacy laws expressly require organizations to carry out privacy training, such as the federal Personal Information Protection and Electronic Documents Act (PIPEDA), Ontario’s Personal Health Information Protection Act, 2004, and Alberta’s Health Information Regulation.
Training obligations may also arise by “necessary implication” from the wording of a statute, such as the Information and Privacy Commissioner for Saskatchewan stating that a requirement to provide privacy training can be implied from a provision in that province’s Health Information Protection Act.
Under public sector privacy laws, meanwhile, training obligations are typically imposed via government policy (such as the federal government’s Policy on Privacy Protection).
Who needs training?
As it is very difficult to predict the precise scope of personal information collection, use and disclosure by employees, privacy training should be broadly targeted.
Ontario’s Information and Privacy Commissioner advises that all employees — including the senior management team, departmental managers and front-line staff — should receive privacy training.
The Office of the Privacy Commissioner of Canada, which is responsible for oversight of PIPEDA, has consistently recommended that organizations subject to that act should provide privacy training for both front-line and management staff.
And after a much-publicized privacy breach involving a federal government department’s loss of a computer hard drive, the commissioner recommended a privacy training and awareness program be delivered to all departmental employees.
Similar recommendations have been made by privacy regulators in other jurisdictions, including Alberta, Newfoundland and Labrador, British Columbia and New Brunswick. In speaking about Saskatchewan’s Health Information Protection Act (HIPA), that province’s information and privacy commissioner has noted:
“As we work to build a strong culture of privacy and confidentiality in and among all Saskatchewan trustees and trustee organizations, all staff of a trustee organization should receive HIPA training. The experience in other provinces with a health information law is that training should involve all employees, volunteers, contractors and students who work in or for a health trustee organization. The content and intensity of the training will reflect the particular roles and needs of different employee groups in an organization, but all of those employees and others should have some basic understanding of privacy, confidentiality and HIPA.”
What’s covered in the training?
Given the particular nuances of each organization’s activities and internal policies and procedures, and the host of potentially applicable privacy laws, there isn’t a single, standardized template for an employee privacy training curriculum.
But there are a number of common elements that should form part of each program, including:
•Some privacy-related background information that provides context for the training.
•A discussion of key terms.
•A brief review of applicable privacy laws.
•An examination of key privacy concepts.
•A description of the organization’s ongoing dealings with, and holdings of, personal information or personal health information.
•A review of the organization’s policies and procedures that relate to privacy and data security.
•An introduction to the organization’s privacy officer or team and a description of her roles and responsibilities.
•A reminder of each staff member’s personal responsibilities relating to privacy/data security.
Privacy training is not generally suited to a one-size-fits-all approach — employees responsible for front-line dealings with personal information, especially sensitive information, will require training that differs, in terms of the extent and specificity of its content, from training provided to employees who have less frequent contact with personal information.
As an example, in 2013, the information and privacy commissioner of Newfoundland and Labrador held that the employees of a regional health authority who were given user privileges for an electronic medical records system “should be required to complete privacy training each year that includes completion of a comprehensive privacy tutorial with specific modules on privacy issues related to electronic information systems. Completion of this training should be tracked and linked to an annual renewal of user privileges.”
Privacy regulators have not shown any particular preference regarding the format of privacy training — organizations can choose between live and electronic (group or independent study) training in accordance with their own preferences and resources.
When it comes to privacy training, the old concept of “once and done” no longer meets due diligence requirements in most settings. The frequency of training should vary in accordance with the extent and sensitivity of the target audience’s dealings with personal information.
Some privacy regulators feel employee groups that continually deal with certain types of sensitive personal information will require detailed privacy training on an annual basis as a condition of employment. Other categories of staff will need less training but, in all cases, training should be updated on a regularly scheduled basis. New hires should receive training appropriate to their respective roles before interacting with personal information under the control of the organization.
The most effective means of assessing the merits of a training program is to subsequently test trainees’ understanding or retention of the information presented to them. Individual testing can take the form of a quiz administered in a live or electronic setting. Alternately, testing can be carried out in a group setting via role-playing or team-based exercises — which may also have team-building benefits. In either case, if the testing reveals an understanding or retention that is below an acceptable threshold level, those people should be designated for retraining.
In cases where the personal information is of high sensitivity (such as health records), testing should be done on an individual basis and the employer could consider making a satisfactory test score a condition of service.
Persistently high fail rates may be an indication the test (or scoring) is too difficult. Organizations may wish to direct refresher materials to employees between training sessions to reinforce key training messages.
Rick Shields is a partner specializing in privacy law at the legal firm nNovation in Ottawa. He can be reached at (613) 656-1293, firstname.lastname@example.org or visit www.nnovation.com for more information.