It's 11 p.m. Do you know where your employee files are?

Personal privacy has become a hot topic in Canada.

In the past, there really haven’t been legal standards for the protection of information. But the rapid expansion of the Internet and electronic commerce, as well as stricter European privacy regulations that affect transfer of employee data across borders, have brought the issue front and centre and a new thoroughness is being applied to privacy protection in Canada.

Standards set by the Canadian Standards Association (CSA) are being used as guidelines to create new laws to protect personal information.

The federal government recently enacted the Personal Information Protection and Electronic Documents Act.

In Ontario, there is significant debate over the consultation paper, Proposed Ontario Privacy Act, as well as the Proposed Personal Health Information Act (Bill 159). Privacy acts already exist in other provinces, British Columbia and Manitoba, for example.

HR obligations about privacy

What this all means is that organizations will have a legal obligation to protect employee information.

The question then arises: Does your organization properly manage personal information in its possession? The human resources department has two critical roles in making sure it does.

First, it is the custodian of personal information about prospective, current and former employees. Second, it is responsible for the policy framework and practices related to employee behaviour.

How would you assure your CEO that the organization is managing personal information in an appropriate manner?

Every organization maintains personal information on two groups of people: employees, and customers and suppliers. The proper management of personal information is simply good customer and employee relations. But it is rare to find an organization that has a comprehensive personal information management program in place.

A privacy program

A comprehensive employee information program includes policies, procedures and controls to manage the collection, use, access, transfer, storage, archiving and destruction of confidential employee information. The program would cover information in paper or electronic form, and not just information under the control of the HR department. Line managers will need to realize that privacy protection policies will mean that employee information lying around on pieces of paper in their offices is not acceptable.

Part of the problem is that personal information is easy to define but difficult to specify since it includes any information in the possession of an organization, whether it is recorded or not, where that information is about an identifiable individual.

It is very difficult to determine specific types of information that are included. It is interesting that the federal legislation only specifies what is not personal information, namely the name, title, business address and business telephone number of an employee.

For many organizations, now might be the time to review and update personal information management practices, policies and records systems. The human resources department is in an ideal position to provide leadership in updating the organization’s program. First, the principles for managing personal information are the same regardless of whether it is customer or employee information. Second, maintaining the confidentiality of information is ultimately a performance issue. Loss of control of confidential employee information has always been a serious employee relations problem for organizations. In increasingly competitive job markets, accessing employee information has been used to help target and “steal” valuable employees.

CSA’s personal information principles

The CSA has established the following principles for a personal information management program:

•Accountability — One or more individuals in an organization must be designated as accountable for the design of the personal information practices as well as compliance. I often find that existing practices do not adequately define how employees are authorized to perform various roles that involve using personal information, or the scope of these roles. For example, does a formal policy exist that specifically defines and limits access to or use of employee information by HR, payroll, occupational health and safety, finance and information systems staff as well as line managers? Are there similar policies and practices covering customer information?

•Identifying purposes — The purposes for collecting personal information must be identified and disclosed before the information is collected. As an HR professional, think about all of the ways in which personal employee information is used or might be used in managing the diverse range of situations that develop with employees. For example, are HR forms identifying the range of uses of personal information being collected from employees? Do policies specify how personal information may be used when dealing with personnel matters?

•Consent — Informed consent is obtained from the individual before personal information is collected, used or disclosed, except where inappropriate. Do current practices include obtaining consent before collecting personal information?

•Limiting collection, use, disclosure and retention — Personal information will only be collected, used and disclosed for the identified purposes, and will be destroyed when it is no longer needed to fulfil these purposes. How do you fulfill these obligations whether the information is oral, recorded on paper, or in electronic form?

•Accuracy — The principle that the personal information is kept as accurate, complete and up-to-date as is necessary to fulfil the identified purposes. A related principle, individual access, holds that an individual is informed of the existence of the collection of personal information, can have access to this information, challenge its accuracy and completeness and have it amended if appropriate.

•Effective safeguards — Personal information is protected from inadvertent or inappropriate use, disclosure, copying or loss. The extent of the control measures must reflect the sensitivity of the personal information. How safe is employee information from misuse or loss?

•Openness — An organization is open about its personal information management policies and management practices. Mechanisms must also be in place to allow individuals to raise concerns about how their personal information is managed by the organization.

This is truly a new era in personal privacy protection and legislation requires HR departments to have a comprehensive program in place covering all employee-related personal information maintained by the organization. Does your department’s current practices meet the above principles?

Brian Orr is managing director of OrgArchitect Inc., which helps organizations enhance the value of their people, knowledge and systems. He can be reached at 416-453-8633 or by e-mail at [email protected].

To read the full story, login below.

Not a subscriber?

Start your subscription today!