The Evolving World of Privacy in the Workplace:

Transcription

1 The Evolving World of Privacy in the Workplace: A day in the life of a Privacy Officer Monic Pratch Chief Privacy Officer, Corporate Secretary and Legal Counsel FortisBC Group of Companies April 28, 2015

2 5 Common Employee Privacy Matters that I see in my role as Chief Privacy Officer: 1. Access Requests for Employee Information 2. Internal Audit & Employee Privacy 3. Internal HR Processes Simple Reminders 4. Workplace Investigations & Employee Privacy 5. Use of PIAs in the Private Sector HR Context 2

3 1. Access Requests for Employee Information Who is making the request? Employee request pursuant to PIPA need to review file to ensure it is PIPA compliant use a standard request form Lawyer representing employee clarify if the request is a PIPA request or a request as part of a litigation proceeding as there are different obligations use a standard request form ensure the request from the law firm is specific (ie. is it limited to a specific time period? Is it limited to certain records?) ensure your response is limited to the records requested 3

4 Requests from Third Party Agencies ask Under what statutory authority are they making the request? review the statute and if you are uncomfortable seek legal advice. Requests for aggregated data with personal information removed ensure data is properly de-identified and cannot be reidentified ask for what purpose they want the data and how they are going to use the data 4

5 2. Internal Audit and Employee Privacy Oh no, I m getting audited or at least my Privacy Management Program is getting audited.. Some immediate questions that arise: 1.What is an audit? 2.What is the Internal Audit department s role? 3.What is the Privacy Officer s role in an audit? 4.What are the outcomes of an audit? 5

6 Internal Audit Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes. Institute of Internal Auditors 6

7 Benefits of having a Privacy Audit by your Internal Audit department: Provides an objective viewpoint on privacy matters and highlights new potential issues Provides insight regarding the organization s risk tolerance from the department that assesses risk Trains internal audit to recognize privacy risks in other audits Raises the profile of privacy matters within an organization s senior management team 7

8 3. Internal HR Processes Simple Reminders (that if not followed could have significant implications) Reminder 1: Remember physical security There is so much focus on electronic records and processes, but sometimes we need to remember that physical processes need to be reviewed as well. A few tips: don t leave employee files on desktops lock the filing cabinet where employee records are kept have a sign out system for employee records use screen protectors Reminder 2: Little things count double check the address you are sending get a peer review of correspondence containing sensitive personal information 8

9 Reminder 3: Convenience is not necessity remember to always send only what is necessary, so ask yourself do I really need to include all of this? for what purpose do I need to include it? is there a less privacy intrusive way of doing this? Reminder 4: Remember that s become records. and records can be accessed pursuant to PIPA and in litigation proceedings the more records you create, the more records you become responsible for (and potentially liable for) 9

10 4. Workplace Investigations & Employee Privacy In the context of a workplace investigation (not involving a privacy breach), some common questions: Am I allowed to collect information from a third party regarding the individual that is the subject of the complaint? The investigation is complete and the individual is requesting access to the investigation report, how much information can I provide them? The investigation is complete and the Union is requesting access to the investigation report, how much information can I provide them? 10

11 There s been a privacy breach with respect to employee personal information. Who should handle the investigation? The role of HR The role of the privacy officer Follow your breach management protocol Refer to: Privacy Breaches: Tools and Resources published by the BC OIPC in March

12 5. Use of PIAs in the Private Sector HR Context Not mandatory.but prudent (in my opinion)! When to use a PIA? Purpose of a PIA Forms of PIAs Benefits of a PIA Due diligence Precedent for future projects Roadmap to mitigate privacy concerns 12

13 When it comes to privacy and accountability, people always demand the former for themselves and the latter for everyone else. -David Brin 13

14 Questions? 14

15 For further information, please contact: Monic Pratch Find FortisBC at: Fortisbc.com (250)