Best practices: 'You've got to be really clear in communicating how that information will be used'
CBC faced an unwelcome spotlight recently when employees raised concerns about the use of their personal information.
Details about workers’ sexual orientation, gender identity and religion apparently popped up in their profiles on Workday after the broadcasting company did a “cultural census” as part of its equity, diversity and inclusion program.
“It feels like management tricked us into telling them very personal details in the name of improving diversity,” said one worker, while another claimed it was a betrayal of trust.
However, a spokesperson claimed that CBC employee information remained “strictly confidential” and that only a “select few” people within the organization have access to employees’ identity details.
Both CBC and Workday declined an interview request from Canadian HR Reporter.
‘You have to be extremely explicit’
The CBC story “hit a little close to home,” says David Owen Cord, co-CEO of Avanti Software in Calgary, who said some elements weren’t necessarily “abnormal” while others were “problematic.”
For example, conducting this kind of survey can make sense to better understand your demographic and cater to your employee base “in a more curated or intentional way,” he says.
However, “what they didn't make clear was they would attach that information to individuals’ profiles.”
An employer should be “really explicit” about why it is including that information for a positive benefit, says Cord.
“You should be clear about that upfront, and you should make it voluntary or optional, because certainly not everyone's going to be comfortable with that.”
Any time an employer is requesting an employee submit something that could be considered confidential or personal, “from a privacy standpoint, you've got to be really, really clear, in my opinion, in communicating how that information will be used,” says Cord.
“You don't want to seek data for the sake of seeking data,” he says. “And I think sometimes these days, we can fall into that fallacy of ‘More is better.’”
A lot of human capital management (HCM) or human resources information systems (HRIS) allow HR to modify or customize what type of information might be contained in an employee profile, says Cord, “so if you're seeking to include certain fields, I think it's important to be really thoughtful about, ‘Why are we doing that? How would we use that? Why does that benefit the employee or the employee base?’ As opposed to just ‘Hey, let's throw it in, and let's make sure we're capturing it’ without too much thought being put into it.”
Asking the right questions
It's a real problem, says John Hyde, a specialist in labour law based in Toronto.
“Human nature being what it is, we see a document and say, “Well, here's a field, let's complete it. Because we're doing a better job and collecting the information’ — at least that's what we think. But at the same time, you have to say, ‘Do I really need that information? Does [my] organization need that information?’” he says.
“The more information you collect — and particularly information that's not needed — then you're creating a potential Pandora's Box.”
The biggest problem here was communication and consent, according to Hyde.
“I don't think there was any malintent here on the part of CBC — their goals were laudable — it’s just how it was handled.”
There are several important considerations for HR when it comes to doing these types of surveys, and storing personal data in HR systems, he says.
For one, HR should only be collecting information that is necessary for the employer’s specific purposes: “Any information which is additional, that is unneeded, should not be collected, should not be kept,” says Hyde.
That means asking questions like “What personal information do you collect? Why do you collect it? How do you collect it? What do we use it for? Where do we keep it?”
It’s also important to identify that purpose with employees as to what you're using the information for, he says.
“The case law has established, and the legislation is fairly clear: Collect only the personal information your organization needs to fulfill their legitimate, identified purpose. And also, be honest about the reasons you're collecting the personal information.”
There’s definitely been a growth in class-action proceedings in relation to privacy breaches, says one Canadian lawyer, and “that law is still evolving.”
Consenting to data collection
Also important? Consent.
HR should have that clarity of identifying the purpose in securing valid, informed consent, says Hyde.
“It has to be informed consent, but it has to be for an identified purpose; otherwise, you can't collect information. And to that end, if your objective… with respect to collecting the information, did change and you want to use it for something else, then you have to remember you have to go back and secure new consent from your employees.”
Of course, Canada has privacy legislation such as provincial laws and the Personal Information Protection and Electronic Documents Act (PIPEDA), but there's also the employee’s reasonable expectation of privacy and security, he says.
“Organizations have to respect that and put in programs and principal programs, which actively protect that information, and continue to manage that information in a responsible way,” says Hyde.
“You have to have significant safeguards in place to protect personal information in a way that's appropriate as to its sensitivity. You have to prevent loss, theft, unauthorized access or disclosure, copying or even modification.”
The Ontario government recently passed the Working for Workers Act, 2022, which requires all employers with 25 or more employees to implement a written policy on electronic monitoring of employees. The policy must state whether or not employees are being electronically monitored and, if so, for what purposes.
Controlling the data
The security side of the equation is important, and HR should do a good job in vetting these providers, says Hyde, particularly with ones based in the States who might not be familiar with Canada’s laws.
“You have to be very careful about who you're hiring and… you have to have knowledge of where this information is going, what is this going to be used for, how it is going to be collected, how it is going to be stored?”
When it comes to employee privacy and data protection, vendors should take “an immense amount of care,” says Cord, and so there are a lot of best practices in the industry — including third-party certifications around how data is managed, how it's kept private, and how it's used.
That includes controls or a set of controls (SOC) and different types of audits that can be put in place, he says, along with access control.
“You can really manage down to a high degree who has access to what in the organization, who can see what, and that often comes with pretty detailed… audit logs. So if a manager were to access someone's information and change it, typically that's the kind of thing that would always be recorded and so can be used to prevent some of the that mistakes or unintended access and so forth.
“But definitely, it's a really, really important consideration for anyone who's selecting a software system that that's going to be housing such sensitive information.”
In the same vein, almost no software companies these days actually own their own servers to house that data, says Cord.
“It's actually highly likely your data is stored in some third-party organization servers, like… AWS or Amazon Web Services,” he says.
“I actually don't think that's necessarily a bad thing, because these organizations spend immense amount of money on security.”
Further, Avanti only uses data centers in Canada, says Cord, because with some of the Information Act privileges that the U.S. has, “we want to make sure employees’ information is stored within the country. And I'm not sure every organization follows that or does that necessarily.”
Avanti was awarded as one of the Best HR Software and Technology Providers in HRIS Solutions category. See the full list of winners here.
