Software vendors turning blind eye to privacy

The privacy landscape has changed a great deal in Canada over the last year. On Jan. 1, 2004, federal privacy legislation came into force in all jurisdictions without similar legislation.

Alberta and British Columbia chimed in with their own legislation on the same day, joining Quebec as the only provinces exempt from the federal law. Ontario passed the Personal Health Information Protection Act on Nov. 1, 2004.

Organizations doing any business in the United States, or that use a consultant or service provider south of the border, may be subject to the USA Patriot act and Sarbanes-Oxley. And then there is the European Union, a leader in privacy legislation. Don’t even try doing business in Europe without understanding their laws.

All of these laws have an impact on human resources and payroll. So what are the software vendors that sell human resource management systems (HRMS) doing about it? Not much, apparently.

Although several vendors have stated that they are “working on it,” there is only one vendor I am aware of that has taken positive action — Now Solutions in Mississauga, Ont. (Disclosure: Now is a client of the Canadian Privacy Institute.)

What rules should HR software vendors be dealing with? Here are the basics:

•The privacy laws mentioned above all require that individuals give consent for an organization to collect specific data after being told exactly how that personal information will be used.

•The individual’s consent may be withdrawn at any time, although not retroactively and not without possibly losing some benefit. For example, withdrawing consent for an organization to have your date of birth may mean that you no longer qualify for life insurance.

•Organizations are required to track the use of personal information and to ensure the use is consistent with the reasons originally given for collecting it.

Various laws require that data be retained for certain periods of time. Employment standards legislation, for example, varies across the country but generally requires retention for three to five years. Privacy laws specify that personal information should be held for only as long as the retention is consistent with the original reasons for collection.

There is a very clear difference between the data — the personal information — and the tracking of the use of that data. The personal information can be discarded, and organizations need to ensure a destruction policy is in place and is followed.

But organizations need to maintain the tracking information for as long as it may be required to respond to inquiries or complaints, and there is no time limit for that.

So how does an organization meet its obligations? It should be able to depend on its HRMS software vendor. Vendors should step up and recognize the importance of the issue and show vision by giving clients the tools they need to manage privacy.

Vendors need to recognize the difference between the data and the tracking of that data. The HRMS needs to track the path of the data without actually storing the data itself. Part of this process is to understand the kinds of demands that may be placed on an organization and its HR department. HR practitioners should:

•define the personal information the organization needs;

•write down the reasons why the data is needed (this is a great opportunity for an organization to reconsider what data is collected and why);

•review the rules — who is allowed to see personal information, under what circumstances and why;

•track usage, such as preparing and distributing reports, sending personal information to others inside the organization and, especially, to outside third parties; and

•include personal information and personal health information that goes to the insurance and benefits companies or that is received from health-care professionals.

There is an alternative to getting the HRMS to tackle privacy in the form of a personal information tracking system that is distinct and apart from the HR system. A few software companies have created tools, including eQuest, IBM’s eBusiness, PrivaSoft and ZeroKnowledge.

But the sad truth of the software industry is that most vendors excuse their lack of vision by blaming you — their clients.

“We respond to client requests,” they say. “And our clients aren’t asking for privacy tracking — yet.”

Perhaps. But when you select a software vendor, don’t you look for one that will work to help you to stay out of trouble instead of waiting for you to find yourself desperate for solutions? One can only hope.

In the meantime, HR and organizations should consider what their privacy needs are and start to plan to meet obligations to employees, contractors and clients.

Ian Turnbull is a director of the Canadian Privacy Institute and author of Privacy In The Workplace – The Employment Perspective. He can be reached at (416) 410-3877 or visit for more information.

Latest stories