'We recommend PIAs are done by employers anytime there is new software or other process introduced which will handle personal information'
Canada’s privacy commissioner recently issued new guidelines to assist employers in the ongoing quest to protect employee information.
The guidelines include eight practical tips for employers and have come at a great time, says one privacy lawyer.
“They had a version of this guidance back in April 2004 and it hadn’t been updated since then, 19 years ago, and basically, workplace privacy has changed quite a bit since then,” says Robbie Grant, associate, privacy and data protection at McMillan in Toronto.
And while the commissioner issued these tips for federally regulated business, “the takeaways that are in here are still quite beneficial across the country, across the board, if you will, for more general guidance,” says Victoria McCorkindale, associate, labour, employment and privacy lawyer at Hicks Morley in Toronto.
Employee surveillance
The move is not surprising considering privacy commissioners across the country have always been concerned about business surveillance and covert surveillance, says Eleni Kassaris, partner and practice group leader at Dentons in Vancouver.
And with more remote-friendly workplaces, some organizations might feel that in order to keep productivity high, workplace tracking should be implemented but key data must be properly handled.
“It’s hard to decide as an employer, for example, to implement any surveillance in the workplace — whether it’s technology-based surveillance like on someone’s computer to track time or video cameras, whatever it is — if employers want to comply with the law, they have to consider privacy,” she says.
Data breaches in spotlight
One of the biggest risks today is around data breaches and employee data, according to Grant.
“Employers, typically, they’re going to have sensitive employee data, such as SIN numbers or bank account details, and health information, and if sensitive data like that is compromised in a data breach, it can lead to a huge financial impact — and, not to mention, it can start to erode employee trust,” he says.
“The unfortunate thing is you can’t 100% prevent against a data breach and so all you can do is mitigate the risk as much as possible.”
One of the best ways to manage a data breach is to have a crisis management plan in place for when it almost inevitably happens, according to experts.
Privacy impact assessments
Before establishing a policy or procedure around privacy, the commissioner recommends employers conduct a privacy impact assessment (PIA) in order to know where the organization currently stands.
“It’s almost like a bit of an audit, where you look at ‘What does the technology do? What information would be collected? Is there a way to make sure that you’re only collecting the information you need for your purposes?’” says Kassaris.
While PIAs are not legally required and are “not yet necessarily a mandatory model, if you have a complaint in front of the Privacy Commissioner, and you haven’t done a privacy impact assessment, I would say good luck because you haven’t done the work and you need to show that your surveillance or any information that you’re collecting, using or disclosing under privacy laws, is reasonable,” she says.
Assessments are also warranted whenever new technologies are introduced into a workplace, says McCorkindale.
“Practically speaking, we recommend PIAs are done by employers anytime there is new software or other process introduced which will handle personal information.”
It can be beneficial for employers to conduct these assessments right at the outset of changes being introduced, she says, “as this allows for the opportunity for issues to be resolved prior to implementation of the technology or procedure when its easiest to build in compliance.”
For certain employers, especially if they have global locations, PIAs can be mandatory, says Grant.
“Europe’s GDPR [General Data Protection Regulation] requires them under certain circumstances. The federal government bodies have to conduct PIAs under certain circumstances, and in Quebec, they will be required in limited circumstances soon. Companies in Ontario, for example, they’re not required but they are recommended as a good practice.”
Privacy policies key
Once the PIA has been done, a robust privacy policy is the next best step to take, says McCorkindale.
“In terms of employee privacy and how that’s going to be used by an organization, you want to make sure in any kind of privacy policy that: you’re clarifying purposes for the collection; that you’re ensuring that you’re not over-collecting information that you need so that it is tied to this consistent purpose; and that the information is actually tied to that, it’s not just haphazardly included.”
The policy should also take into account many aspects of technology, according to Grant.
“Often, we’ll see a workplace privacy policy that maybe covers what the HR team has purview into, so they’ll know about the contact information, they’ll know about the information collected during onboarding — but a worker’s privacy policy should also cover anything collected through IT security, electronic monitoring; there’s a lot of incidental collections that often need to be captured.”
Update employees on privacy policies
It should also be done along regular signposts of an employee’s workplace journey, he says.
“If we think of the lifecycle of an employee, when they apply for the job, they should be given an applicant privacy notice that describes how their application materials are going to be collected, used, retained disclosed, etc. Then, if they’re hired, at the onboarding stage, they should be given the privacy policies and asked to acknowledge them; then they also should be notified when those policies are materially updated.”
Recently, a lot of companies have been rolling out diversity and inclusion surveys, which collect more information, says Grant.
“If new information will be collected, they should provide those employees with notices and consent forms if consent is required.”
Keeping employee data long term
When it comes to employee privacy and collecting their data, one of the biggest errors made by employers is around keeping the data for tool long, says Kassaris.
“Unfortunately, we see organizations keep it for many years, longer than what they need it, which really exposes the organization to risk because if there’s a database and you get access to a bunch of historical data that could have been purged, then your legal liability for that data is much larger than it could have otherwise been.”
Managing the way old crucial data is handled is also an important consideration, says McCorkindale.
“Destruction has to be done to protect privacy so using a reputable shredding service, and not just of course throwing these hard copies in the recycling bin. You need to be able to ensure that when you’re destroying the information, the records are not reproducible. And then on the digital side of things, being mindful that printers have hard drives: ‘How long has this been stored and if we’re getting rid of the printer, is potentially data on that printer?’”
For HR professionals, asking plenty of questions is never a bad idea, says Kassaris.
“It’s incumbent on HR people understanding that they’re going to have an issue with their employees if this isn’t done properly, to ask the hard questions from the information technology staff, from the managers and directors that want this technology to be rolled out. HR needs to make sure that you ask the questions that you need to understand in order to convey the information to the employees appropriately.”
