Internal Investigations and Employee Privacy


Published on

A presentation to fraud investigators on managing privacy issues in investigations. Focus is on bridging the divide between legal and privacy officers and investigators.

Published in: Business, Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Internal Investigations and Employee Privacy

  1. 1. Internal Investigations and Employee Privacy (and More)<br />Dan Michaluk13th Annual ACFI Fraud Conference<br />May 3, 2011<br />
  2. 2. Outline<br />Investigators and employee privacy<br />How the investigation exemptions work<br />Special collection issues<br />The investigation record<br />
  3. 3. Investigators and Employee Privacy<br />Employee privacy rights<br />Come from statute in the federal sector, the public service (excluding Ont.) and in B.C., Alta. and PQ<br />Come from collective agreements and arbitrator-driven law (for unionized employees)<br />At the very outside range of acceptable conduct, come under an individual employment contract (Colwell)<br />
  4. 4. Investigators and Employee Privacy<br />Why your internal clients care about privacy<br />Employees and unions care more now<br />There’s been a slow shift in attitude about privacy in the workplace<br />An institution’s relationship with its privacy regulator matters<br />Some labour arbitrators exclude evidence obtained through an “unlawful” collection<br />
  5. 5. Investigations and Employee Privacy<br />Help your client view investigation tactics by their risk<br />Legal issue is usually “reasonable necessity”<br />It’s never right to say “yes or no” - assessing a tactic is about articulating the degree of risk<br />Usually your client should make the call<br />Demand that your clients make a risk-based assessment<br />
  6. 6. Investigations and Employee Privacy<br />Your quid pro quo is to acknowledge that privacy matters<br />You can help by recognizing some tactics as invasive and assessing its relative efficacy<br />If you dismiss privacy as inimical to your role you will run in to problems<br />Protect your own internal credibility<br />
  7. 7. How the Investigation Exemptions Work<br />You’re not “law enforcement” any more<br />Public sector privacy statues include broad authorizing provisions to enable law enforcement<br />Courts have recognized that police need to police and can make assumptions about criminal behaviour<br />Private security is different<br />
  8. 8. How the Investigation Exemptions Work<br />Relieve against consent rule on certain conditions*<br />Condition 1 – reasonable grounds<br />Condition 2 – necessary part of covert investigation<br />Condition 3 – breach of agreement or “law”<br />*Differ by statute and have interpretive peculiarities<br />
  9. 9. How the Investigation Exemptions Work<br />Commissioner powers<br />Have broad power to scrutinize how you investigate<br />They don’t have a strong history of interference<br />UBC Spyware case is a notable exception<br />If you think about privacy and can demonstrate you have done so they are less likely to interfere<br />
  10. 10. Specific Collections<br />Electronic communications<br />Very rich information<br />Fairly full right of access historically and today<br />Ont. C.A. has recently recognized an expectation of privacy in stored files (different than e-mail and text messages)<br />Employers should make personal use conditional on an audit right and investigation right<br />
  11. 11. Specific Collections<br />Covert video surveillance<br />Surveillance images are recognized by commissioners as sensitive personal information<br />Now addressed by (relatively strict) OPC guideline<br />More than “mere suspicion” required<br />Likely to be efficacious<br />Consider less invasive means<br />Delete or depersonalize extraneous PI<br />Decision-making process is key<br />
  12. 12. Specific Collections<br />Customer records of employees<br />There’s a “two hat” problem here<br />Employees enrol as customers and expect to be treated as customers<br />The “use” exemption in PIPEDA is worded than the “disclosure” exemption – does this pose a problem for investigations that can’t be framed as an investigation into a breach of public law?<br />
  13. 13. Specific Collections<br />Records of PI held by third-parties<br />Cell phone records or credit history records<br />Private security has limited ability ask and receive from 3P under privacy statutes (check jurisdiction)<br />So generally part of the “open” investigation<br />Enforcement duty to cooperate with investigation will hinge on the logic of the demand (won’t get away with fishing, but ee “right to silence” is limited)<br />
  14. 14. The Investigation Record<br />Interview notes<br />Name and date<br />No paraphrasing<br />Essence of response plus behaviour<br />No commentary<br />Nothing beats ink<br />
  15. 15. The Investigation Record<br />Project communications<br />Facts and plans are safe<br />Don’t deliberate over e-mail<br />Don’t send draft conclusions/reports over e-mail<br />
  16. 16. Internal Investigations – Staying on Side of Employee Privacy (and More)<br />Dan Michaluk13th Annual ACFI Fraud Conference<br />May 3, 2011<br />