While technology can make complying with privacy laws easier, it poses a host of new challenges for organizations
HR professionals use the telephone every day. It is a primary tool, arguably the main tool in competition with e-mail, used to request and receive information.
Employees call requesting benefit balances. HR calls others asking for references. HR receives calls requesting confirmations of employment.
But can HR, or anyone for that matter, continue to rely on the phone? Concerns around the privacy and security of personal information have led many to suggest the phone is dead when it comes to requesting information because it is extremely difficult to authenticate the identity of the caller. Even using caller ID, showing that the call is coming from a person’s phone, is not sufficient to ensure the person calling is the individual whose information is being requested.
“Private” means no-one else
Consider the case of the woman who visited her fiancé’s bank to drop off some documents. Left alone briefly with his file on the banker’s desk, the woman discovered some facts about her fiancé’s financial situation that caused her to break off the engagement.
The bank argued her role as courier of private information implied she enjoyed a right to see her fiancé’s personal information, but Canada’s Federal Privacy Commissioner disagreed. The bank should have kept the customer’s personal information secure and private and not assumed facts not in evidence.
The Canadian privacy maze
On Jan. 1, 2004, the federal Protection of Personal Information and Electronic Documents Act came into force in all provinces without their own privacy legislation. The law is designed to ensure organizations that hold information about individuals handle that personal information responsibly. It also gives individuals control over the way information about them is handled and a right to request access to and correction of their personal information.
Quebec has had privacy legislation in place since the 1990s and Alberta and British Columbia chimed in with their legislation last year.
But neither Alberta’s nor B.C.’s new privacy legislation has been officially found to be “substantially similar,” so an organization operating in those provinces will have to worry about both the federal and provincial privacy laws. (Earlier this year, Industry Canada stated its intention to recognize both the B.C. and Alberta laws as “substantially similar” but as of press time had not done so.)
In Ontario the province’s new Health Information Privacy Act took effect on Nov. 1, 2004. It could have a huge impact on health professionals, benefit carriers and employers.
Privacy and security south of the border
If an organization operates or has an affiliate in the United States, or if any organizations providing services are U.S.-based, employers need to become aware of the Patriot Act and other U.S. legislation such as Sarbanes-Oxley. They may well apply to all employees, American or Canadian.
Fastest growing crime in North America
The greatest amount of identity theft — perhaps as much as 70 per cent — is done by employees, according to a study out of Michigan State University of more than 1,000 identity theft arrests in the U.S.
It has long been accepted that more than 80 per cent of retail theft was due to employees and now it seems information is the new target of such criminals.
More than 1,000 cases were studied and each theft traced back to its source. Employees were directly responsible for more than 50 per cent, and although another 20 per cent couldn’t be absolutely proven, that percentage was clearly the result of someone with internal knowledge. And it is not just employees. Business owners were also found to be guilty.
Implanting microchips under the skin
A radio frequency identification system (RFID) consists of a tag, which is made up of a microchip with an antenna, and an interrogator or reader with an antenna. The reader sends out electromagnetic waves.
The tag antenna is tuned to receive these waves. A passive RFID tag draws power from a field created by the reader and uses it to power the microchip’s circuits. The chip then modulates the waves that the tag sends back to the reader and the reader converts the new waves into digital data.
Used for retail inventory control, the first known cases of RFID-tagging of employees emerged with the Attorney General of Mexico reporting that he and members of his staff had the tiny chips implanted in their arms to ensure authenticated access to the new criminal information centre containing sensitive criminal databases and sophisticated communications systems.
Other employers, such as hospitals largely outside the U.S., are reportedly evaluating similar usage to control access to patient information by medical staff. By some estimates more than 1,000 individuals worldwide have had chips implanted under their skin.
Camera phones
Cellphones with built-in cameras are a growing privacy issue for both consumers and organizations. The phones, with their discreet lens, tiny size and ability to immediately transmit images onto the Internet or other cell phones, are a voyeur’s dream and a security nightmare.
South Korea, which has one of the world’s highest concentrations of cellphone users, is already drafting regulations to protect consumer privacy. Beginning next year new camera phones will be required to emit a loud sound whenever pictures or videos are taken.
Ian Turnbull is executive director of the Canadian Privacy Institute, and author of Privacy In The Workplace — The Employment Perspective. He is also a managing partner of Laird and Greer Associates. For more information visit .
Employees call requesting benefit balances. HR calls others asking for references. HR receives calls requesting confirmations of employment.
But can HR, or anyone for that matter, continue to rely on the phone? Concerns around the privacy and security of personal information have led many to suggest the phone is dead when it comes to requesting information because it is extremely difficult to authenticate the identity of the caller. Even using caller ID, showing that the call is coming from a person’s phone, is not sufficient to ensure the person calling is the individual whose information is being requested.
“Private” means no-one else
Consider the case of the woman who visited her fiancé’s bank to drop off some documents. Left alone briefly with his file on the banker’s desk, the woman discovered some facts about her fiancé’s financial situation that caused her to break off the engagement.
The bank argued her role as courier of private information implied she enjoyed a right to see her fiancé’s personal information, but Canada’s Federal Privacy Commissioner disagreed. The bank should have kept the customer’s personal information secure and private and not assumed facts not in evidence.
The Canadian privacy maze
On Jan. 1, 2004, the federal Protection of Personal Information and Electronic Documents Act came into force in all provinces without their own privacy legislation. The law is designed to ensure organizations that hold information about individuals handle that personal information responsibly. It also gives individuals control over the way information about them is handled and a right to request access to and correction of their personal information.
Quebec has had privacy legislation in place since the 1990s and Alberta and British Columbia chimed in with their legislation last year.
But neither Alberta’s nor B.C.’s new privacy legislation has been officially found to be “substantially similar,” so an organization operating in those provinces will have to worry about both the federal and provincial privacy laws. (Earlier this year, Industry Canada stated its intention to recognize both the B.C. and Alberta laws as “substantially similar” but as of press time had not done so.)
In Ontario the province’s new Health Information Privacy Act took effect on Nov. 1, 2004. It could have a huge impact on health professionals, benefit carriers and employers.
Privacy and security south of the border
If an organization operates or has an affiliate in the United States, or if any organizations providing services are U.S.-based, employers need to become aware of the Patriot Act and other U.S. legislation such as Sarbanes-Oxley. They may well apply to all employees, American or Canadian.
Fastest growing crime in North America
The greatest amount of identity theft — perhaps as much as 70 per cent — is done by employees, according to a study out of Michigan State University of more than 1,000 identity theft arrests in the U.S.
It has long been accepted that more than 80 per cent of retail theft was due to employees and now it seems information is the new target of such criminals.
More than 1,000 cases were studied and each theft traced back to its source. Employees were directly responsible for more than 50 per cent, and although another 20 per cent couldn’t be absolutely proven, that percentage was clearly the result of someone with internal knowledge. And it is not just employees. Business owners were also found to be guilty.
Implanting microchips under the skin
A radio frequency identification system (RFID) consists of a tag, which is made up of a microchip with an antenna, and an interrogator or reader with an antenna. The reader sends out electromagnetic waves.
The tag antenna is tuned to receive these waves. A passive RFID tag draws power from a field created by the reader and uses it to power the microchip’s circuits. The chip then modulates the waves that the tag sends back to the reader and the reader converts the new waves into digital data.
Used for retail inventory control, the first known cases of RFID-tagging of employees emerged with the Attorney General of Mexico reporting that he and members of his staff had the tiny chips implanted in their arms to ensure authenticated access to the new criminal information centre containing sensitive criminal databases and sophisticated communications systems.
Other employers, such as hospitals largely outside the U.S., are reportedly evaluating similar usage to control access to patient information by medical staff. By some estimates more than 1,000 individuals worldwide have had chips implanted under their skin.
Camera phones
Cellphones with built-in cameras are a growing privacy issue for both consumers and organizations. The phones, with their discreet lens, tiny size and ability to immediately transmit images onto the Internet or other cell phones, are a voyeur’s dream and a security nightmare.
South Korea, which has one of the world’s highest concentrations of cellphone users, is already drafting regulations to protect consumer privacy. Beginning next year new camera phones will be required to emit a loud sound whenever pictures or videos are taken.
Ian Turnbull is executive director of the Canadian Privacy Institute, and author of Privacy In The Workplace — The Employment Perspective. He is also a managing partner of Laird and Greer Associates. For more information visit .
