Everything You Need To Know About Workplace Privacy


Published on

This is an employee privacy "hot topics" presentation to human resources professionals. It includes sections on sources of employee privacy rights, screening candidate's internet presence in the recruiting process, access to employee communications, cross-border information processing and pandemic planning.

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Thank you Trained as an employment lawyer Strong information management and privacy focus Built this need to know presentation around recent experience… types of questions we’re getting Excited to deliver it Five topics Only…. thirteen slides of substance So let’s take questions while we go and see how it flows
  • Two slides on “where do employee privacy rights come from?” What do you have to worry about? Here are the four sources… that’s it Statutory codes -four of them -comprehensive codes based on fair information practices -backed by administrative means of enforcement and anti-reprisal protection Other statutes -Income Tax Act…. written consent to use a SIN for non-tax purpose -Ontario OHSA… can’t seek to gain access to a health record -Charter. Government? Law of unionized workplace – reasonableness doctrine Civil claims for breach of contract and tort… risk more and more real…. but s there a practical means of enforcement?
  • How many from Ontario? How many provincially regulated employers with employees in provinces other than BC, Alberta and Quebec? Your unionized employees can grieve a privacy violation But what about non-union employees? No statute. No access to arbitration. Can you run rough over employees because there’s a gap? There is certainly broader scope to manage here… engage in things like surveillance… monitoring… but don’t be too aggressive Bad facts make bad law Colwell an example… first privacy breach constructive dismissal claim Somwar was a current employee If it a medical information management issue then you may have a link to HR liability
  • Hot, hot topic… Who does it? Collecting personal information that’s been published has very limited protection in law…. If its out there its out there eh? Only talk about need for change because of the social media phenomenon If you are federally regulated or employing in one of the three provinces there are regulatory risks -authorization -necessity and reasonableness -accuracy But the more pertinent risk is human rights risk Employers have employed structured recruiting processes to manage risk Qualify first through application form – in Ontario backed by section 23 of Code Assess in interview – More information… some employ structured interviews Check background last… - most sensitive information Protects against discrimination claims based on knowledge Think of all the crazy stuff that’s online!!!
  • I think there are cases when you want to do it If you’re hiring someone for a position where there reputation matters a check may be necessary It may be irresponsible not to check Here’s how to do it,,,, avoid the temptation to troll! -do it at the end -think about what information is relevant to the job… what are you looking for -write it down… make it objective -ideally, give it to someone who’s not a decision-maker -get a report back -report becomes the formal record so you don’t have to deal with production disputes about internet search logs
  • Another hot topic… electronic communications monitoring Let’s talk about the established law…. Here’s what its based on -computers were a tool to do your work -many reasons to inspect -warned of inspections No reasonable expectation of privacy Arbitrators were not even balancing interests You could do it because you said you could do it
  • Things are changing though Look at the trends -More and more personal use (Who would prohibit online banking? Collection possible through keylogging.) -Mobile devices channel communications through network 24 hours a day -Starting to use social media applications for business purposes Natural to say that employees’ expectations rising If you talk to the person on the street they think its private This is a problem for employers
  • So… will the law catch up? We’re seeing signs of change -Quon is a case from California -Going to the USSC -Facts show “informal policy” … -Exactly the point… policy not attuned to reality will not be enforced and therefore not enforceable In Ontario, important case going to OCA called Cole -Criminal case -Teacher at school board -Judge said no expectation of privacy -But worked very hard at it… facts were unique
  • So here’s your choice You can say NO EXPECTATION OF PRIVACY louder May help But people (including your line managers) may not think your serious Courts may not think your serious So if you do only that … think about how to demonstrate your serious The alternative is to recognize a limited right to privacy -but we will audit… here’s how -we will investigate… here’s when… here’s who -we will extract and sort through your full e-mail file if we get into litigation -you put yourself there at your option Then stay within the boundaries… demonstrate respect for privacy should help
  • Lots and lots of questions about this Companies running HRIS out of the US Maybe it’s our economy I hate the question Very hard to compare socio-political risks Lots of employees scared about USA Patriot Act… But is it a risk? Can get into debates amongst the uninformed (both sides uninformed) Here are the rules -Data security is important -If you’re outsourcing… put in all the same strong protections… due diligence -Be aware of socio-political conditions that may cause data risks -Notice is the key special requirement – PIPEDA yes, Alberta yes in policy (new, applies to parent corporations), Quebec yes, BC uncertain more uncertain but… (Fox case) -Cross-Canada employers might as well notify… not hiding it from anyone
  • This is really a slide that stresses good outsourcing practices Applies if you’re giving it to a external service provider Due diligence is important… know all the details about who you’re giving it to (hire a security expert with knowledge of data centers to ask the questions) Contract is key – two key things – control plus security Assume that notice is required unless you get an unqualified legal opinion telling you you’re a-okay
  • Designed this at the time H1N1 was at its peak Still important Before we get into the application… here’s a slide that I’ve used and that people have found helpful in determining the roles in employee medical information management In particular, its helped resolved the conflict that your contract or employed medical advisors may feel Let’s be clear… they work for you in most cases They assess, they facilitate return to work and so on They are medically trained members of human resources who also act as a privacy screen (means by which the need to know principle is respected) You need to make that clear to employees Employee health care providers have the health care relationship… fiduciary duty If you do provide health care (to ee’s) you have to be very careful about separating two roles… conflict… need to be careful… another talk
  • Objective – keep employees who are sick out of the workplace Tactic – gate screening for H1N1 infection risk Tactic – return to work screening for H1N1 infection risk MOHLTC guide endorses screening -symptom based (generally no practical ability to rely on diagnoses) -to support a medically valid assessment Federal, BC and Alberta Commissioners said short of a state of emergency you don’t need to ask for sharing health status, including diagnosis Just say you’re sick… yikes! Slightly qualified, but a warning To protect yourself -follow the lead of your local health authority -think about the appropriate trigger for routine/gate screening (versus reasonable grounds questioning) -… and so on
  • Objective – allow people to mitigate harm Scenario – employee living with vulnerable member of the population More aggressive Use a very case-by-case approach Implement some objective threshold – “real likelihood of exposure” Makes sense to notify the person whose information is disclosed
  • Post frequently at slaw.ca Look for background check article that went up this morning
  • Everything You Need To Know About Workplace Privacy

    1. 1. Everything you need to know about workplace privacy Dan Michaluk January 27, 2010
    2. 2. Outline <ul><li>Employee privacy rights - the patchwork quilt </li></ul><ul><li>How to run an internet background check </li></ul><ul><li>Why and how your acceptable use policy needs to change </li></ul><ul><li>Yes, you can transfer that data to the U.S., but… </li></ul><ul><li>How to manage the risk of communicable diseases in the workplace </li></ul><ul><li>Questions </li></ul>
    3. 3. Employee privacy rights and the patchwork quilt <ul><li>Statutory codes </li></ul><ul><ul><li>Federal </li></ul></ul><ul><ul><li>Alberta, B.C. and Quebec </li></ul></ul><ul><li>Other statutes </li></ul><ul><li>The law of the unionized workplace </li></ul><ul><li>Civil claims for breach of contract and tort </li></ul>
    4. 4. Employee privacy rights and the patchwork quilt <ul><li>Ontario non-unionized employees have no readily available means to assert a privacy right… </li></ul><ul><li>… but </li></ul><ul><ul><li>Risk of constructive dismissal claims (Colwell) </li></ul></ul><ul><ul><li>Risk of tort claims (Somwar) </li></ul></ul><ul><ul><li>Risk of human rights liability (e.g. drug testing) </li></ul></ul><ul><ul><li>Employee relations </li></ul></ul><ul><li>So be careful </li></ul>
    5. 5. How to run an internet background check An information collection model for efficient and compliant recruiting
    6. 6. How to run an internet background check <ul><li>Do it at the end, not the beginning </li></ul><ul><li>Question what’s relevant </li></ul><ul><li>Set objective criteria </li></ul><ul><li>Create a business record of the check </li></ul>
    7. 7. Why your acceptable use policy needs to change <ul><li>Then </li></ul><ul><ul><li>No personal use </li></ul></ul><ul><ul><li>No mobile devices </li></ul></ul><ul><ul><li>No social media (blurring of personal and professional) </li></ul></ul><ul><ul><li>Therefore… </li></ul></ul><ul><ul><li>… no reasonable expectation of privacy </li></ul></ul>
    8. 8. Why your acceptable use policy needs to change <ul><li>Now </li></ul><ul><ul><li>Limited personal use </li></ul></ul><ul><ul><li>Employer-issued mobile devices </li></ul></ul><ul><ul><li>Social media means you’re always on </li></ul></ul><ul><ul><li>Therefore… </li></ul></ul><ul><ul><li>… individual privacy expectations are rising </li></ul></ul>
    9. 9. Why your acceptable use policy needs to change <ul><li>WILL THE LAW CATCH UP? </li></ul>
    10. 10. How your acceptable use policy needs to change <ul><li>Relying on policy not based in reality is risky </li></ul><ul><li>Consider a balanced approach </li></ul><ul><li>Reserve the right to.. </li></ul><ul><li>… audit (with controls) </li></ul><ul><li>… investigate (with controls) </li></ul><ul><li>… extract and produce (e-discovery) </li></ul><ul><li>Tell them data stored on cloud services counts </li></ul>
    11. 11. Yes you can transfer data to the U.S. but… <ul><li>Recognized rules </li></ul><ul><ul><li>Data security must be equivalent </li></ul></ul><ul><ul><li>You should be aware of risks that flow from socio-political conditions (but not likely a barrier) </li></ul></ul><ul><ul><li>Notice should ordinarily be given (but whether it must be given depends on your jurisdiction) </li></ul></ul>
    12. 12. Yes you can transfer data to the U.S. but… <ul><li>What to do </li></ul><ul><ul><li>Employ due diligence </li></ul></ul><ul><ul><li>Enter contract to control the information </li></ul></ul><ul><ul><li>Enter a contract to guarantee security </li></ul></ul><ul><ul><li>Give notice subject to legal advice that notice is not required </li></ul></ul>
    13. 13. How to manage the risk of disease Employer Employee HCP Medical Advisor
    14. 14. How to manage the risk of disease <ul><li>Screening </li></ul><ul><ul><li>Be transparent about policy </li></ul></ul><ul><ul><li>Only above an objective threshold </li></ul></ul><ul><ul><li>Use a process based on medical science </li></ul></ul><ul><ul><li>Use a occupational health professional if you can </li></ul></ul><ul><ul><li>Keep records (of due diligence) secure </li></ul></ul>
    15. 15. How to manage the risk of disease <ul><li>Warnings </li></ul><ul><ul><li>Be transparent about policy </li></ul></ul><ul><ul><li>Only above an objective threshold </li></ul></ul><ul><ul><li>Routine disclosure highly questionable </li></ul></ul><ul><ul><li>Disclosure based on a real need to allow people to mitigate risk </li></ul></ul><ul><ul><li>Notification of disclosure back to individual </li></ul></ul>
    16. 16. Dan Michaluk <ul><li>Hicks Morley Hamilton Stwart Storie LLP </li></ul><ul><li>(416) 864-7253 </li></ul><ul><li>[email_address] </li></ul><ul><li>or </li></ul><ul><li>Twitter </li></ul><ul><li>LinkedIn </li></ul>
    17. 17. Everything you need to know about workplace privacy Dan Michaluk January 27, 2010