Privacy and Human Resources Management
This page has been archived on the Web
Information identified as archived is provided for reference, research or recordkeeping purposes. It is not subject to the Government of Canada Web Standards and has not been altered or updated since it was archived. Please contact us to request a format other than those available.
e-Business-The HR Challenge
November 20, 2002
Privacy Commissioner of Canada
(Check Against Delivery)
It's a great pleasure for me to address a conference on privacy and human resource management. As human resource managers, you are in the forefront of the privacy issue.
Recent events have forced us to look hard at privacy, in the workplace and elsewhere, in ways we never did before. And for you, this is a critically important challenge. Your work gives you access to, and responsibility for, the personal information of employees and job applicants.
This challenge is not something to be taken lightly, because privacy is one of the most fundamental of human rights. It's what lets us live as free individuals-free to read what we please, think as we please, associate with whom we please. It means that we don't have to go through life with someone watching over our shoulders-watching our every move, every purchase, every human interaction; someone analyzing patterns in our behaviour; interpreting, and maybe misinterpreting, our actions; judging, and maybe misjudging, our intentions.
Privacy is a fundamental human right, recognized as such in the United Nations declaration of human rights. It is, as Justice La Forest of The Supreme Court of Canada so eloquently put it, "At the heart of liberty in a modern state."
But it's not only a fundamental human right, it's also an innate human need. When you go home at night, you probably close the curtains, draw the blinds-not because you're doing something bad, but because you need your privacy.
If you're on an airplane or a bus reading a book and someone starts reading over your shoulder, it probably makes you uncomfortable. It's not that what you're reading is secret or embarrassing-it's just that your privacy is being invaded.
If you've ever had the misfortune of having your home or even your car broken into, you know that the sense of intrusion-of having your privacy violated - can be even more painful than the loss of whatever was actually stolen.
I define privacy as the right to control access to one's person and to information about oneself. And nowhere is that fundamental human right, that innate human need, the right of privacy, more important than in the workplace where we spend so much of our time and where so much of our lives are defined.
Freedom of thought, association, conscience, and speech, to name just a few, are all grounded in our right to privacy.
We don't surrender those rights and freedoms when we walk through the doors of the office or factory. Sure, some people claim that employees lose all their rights when they are on the employer's time and property and using the employer's equipment. But I don't believe that, arbitrators and judges don't believe that, and I'm sure you don't believe that. Employees have had established, recognized rights to privacy in the workplace for a long time.
That's obvious, actually, if you look at how employers have traditionally treatedquestions of privacy in the workplace. Typically, employers don't eavesdrop on telephone calls, they respect privacy in personnel issues, and they exercise care and restraint when providing services to clients or employees on sensitive matters.
The passage of the Personal Information Protection and Electronic Documents Act, or the PIPED Act as we call it, has significantly advanced the privacy rights of employees. It codifies, in a very clear way, a fundamental right of privacy in the workplaces that it covers. It firmly establishes the primacy of consent-the central concept of privacy-in any collection, use, or disclosure of personal information. And it puts an important limit on consent: even with consent, an organization may only collect, use, or disclose information about its employees for purposes that a reasonable person would consider appropriate under the circumstances. That means that people don't have to consent to losing all their privacy just so that they can have a job.
Let me begin by giving you a very brief synopsis of the Act.
The Act strikes a balance between individual privacy rights and the needs of organizations to collect, use, and disclose personal information. The basic outline of the Act, from an employment perspective, looks like this:
If an organization covered under the Act wants to collect, use, or disclose personal information about its employees, it needs their consent, except in a few specific and limited circumstances.
It can use or disclose its employees' personal information only for the purpose for which they gave consent when it collected the information.
Even with consent, the organization must limit its collection, use, and disclosure of personal information to purposes that a reasonable person would consider appropriate in the circumstances.
Employees have the right to see the personal information that the employer holds about them, and to correct any inaccuracies.
There's oversight, through me and my Office, to ensure that the law is respected and there's redress if employees' rights are violated.
Right now, the Act applies to all personal information, including personal health information, that's collected, used, or disclosed in the course of commercial activities and employment by federal works, undertakings, and businesses. That is primarily banking, telecommunication, broadcasting, and transportation companies. It also applies to personal information that's held by provincially-regulated organizations when it's sold, leased, or bartered across provincial or national boundaries.
As of January 2004, the application of the Act will extend to all commercial activities that normally fall under provincial jurisdiction, except where provinces have passed substantially similar privacy legislation of their own.
That's only for commercial activities, though. With respect to employment, the Act will still apply only to federal works, undertakings, or businesses.
I want to be clear on this point, because there seems to be some confusion about the application of the PIPED Act to employee information. The Act will not apply to employee information collected, used or disclosed by a provincially-regulated organization regardless of what a province might do.
Some people might take that to mean that employers in provincially-regulated industries can ignore the Act. But that would be very short-sighted, because the chances are very good that provinces will pass similar laws to their provincially-regulated workplaces.
Many provinces will be enacting privacy legislation for the private sector in the near future. Ontario, as you know, has already begun that process. Provincial privacy laws are likely to apply to employment the way the PIPED Act does, for a couple of reasons.
One is the simple fact that the Act is based on internationally recognized data protection standards. These standards are the basis of voluntary codes and privacy laws in most jurisdictions around the world. Provincial privacy legislation will probably be based on them, and thus look a lot like the PIPED Act.
Another is that provinces want to ease exchanges of personal information with jurisdictions, such as the European Union, that insist on protection of personal information in employment.
In short, provincial privacy legislation will probably apply to employment, and look a lot like the PIPED Act. And even if you happen to be in a Province that doesn't pass such legislation, you're going to have a pretty unhappy work force if you disregard their privacy rights in ways that would be illegal in most other provinces.
So let me tell you a little about a couple of my findings in complaints that were made to me under the Act, to illustrate how the Act works and what is expected of employers under it.
A truck driver complained to me that an international trucking company terminated his employment when he refused to hand over personal information to it.
The company required that its cross-border drivers fill out a registration form for the Canada Customs and Revenue Agency's new Customs Self-Assessment Program, and return the form to the company. This particular driver accepted that he had to provide the form to Customs, but he wanted to provide it directly-he didn't want his employer to have access to the personal information on the form. So he refused to return the form to the company. The company told the driver, return the form to us or we terminate your employment. And that's how it ended, with the company terminating his employment.
I concluded that this complaint was well-founded. The Act requires that collection of information be limited to what's necessary for the organization's purposes. Was that the case here? It was necessary for the driver to complete an application for the program. But it was Customs that needed the form, not the employer. As long as it was returned to Customs, there was no need for the information to be returned to the employer.
And the Act requires that information be collected by fair and lawful means. Well, the company threatened the employee with dismissal if he didn't hand the information over. That doesn't meet any kind of fairness test, when the employer has no right to the information in the first place. Fortunately, as a result of my finding, the driver got his job back.
The lesson of this is that a lot of the time, compliance with privacy law is less rocket science than simply common sense. This was a case of an employer getting itself into unnecessary trouble. All that was required was a basic respect for the employee, a good hard look at who required what information, and a recognition that the best way to get something is to ask for it and explain why you need it. If the company had taken that approach, it wouldn't have wound up where it did.
Another complaint illustrates some of what I said earlier about two central principles of the Act, consent and the reasonable person test.
Employees of a nuclear products facility complained to me that the company was requiring them to consent to the collection of personal information-specifically, a security clearance check. They were told that if they did not consent they would lose their jobs or be transferred.
You'll recall what I said about compulsory consent. The Act protects against it, by requiring that an employer only collect, use, or disclose personal information for purposes that a reasonable person would consider appropriate. In short, an employer can make consent a condition of employment, but only if it's consent to something reasonable and appropriate.
So in this case, the key question was, would a reasonable person consider it appropriate in the circumstances for the company to collect personal information from employees for the purpose of conducting security clearances?
The company's nuclear products division is licensed by the Canadian Nuclear Safety Commission, or CNSC. Without that licence, it can't produce nuclear fuels.
In November 2001, the CNSC ordered that its licensees not permit any person to enter or remain in a licensed facility without a security clearance.
The company advised its employees of the new requirements, and provided them with consent forms. Their bargaining agent negotiated an agreement whereby any employee who did not pass the security check could transfer to another division, though not necessarily at the same job level.
The complainants argued that their consent to the collection of their personal information was not meaningfully voluntary, since if they did not give consent, they could lose their employment entirely.
My conclusion was that a reasonable person would consider it appropriate in the circumstances for the company to collect this personal information from its employees.
Given concerns about possible acts of terrorism at nuclear facilities, it was reasonable that the CNSC would impose an enhanced security requirement on its licensees.
And it was also reasonable that the company would comply with the CNSC requirement. The alternative would be for it to lose its licence to produce nuclear fuels-which, of course, might have led it to lay-off the complainants.
The employer had made consent a condition of employment, but it was consent to something reasonable-something that, in these particular circumstances, was an unavoidable condition of the employment relationship, like a name or a Social Insurance Number.
On the subject of consent, let me touch briefly on something that I know many of you are interested in-the transfer of information to a third party for processing. If you outsource some function like payroll, for example, you may be wondering if you need consent for that.
It's important to understand that the Act recognizes a difference between disclosures of personal information and transfers of personal information. A disclosure involves providing personal information to a third party, including an affiliated but separate organization. The information passes out of your control and into the control of the organization to which you disclose it. For that, the Act requires you to have consent.
A transfer, on the other hand, involves providing information to a third party simply for processing purposes. You don't need consent for a transfer, provided the third party only uses the personal information for the purpose for which it's transferred. The information remains your responsibility. The Act requires you to ensure, by contractual or other means, that the third party protects it.
I want to turn now to a more general issue involving the PIPED Act and privacy in the workplace, and that is the question of building privacy into your human resources management systems-ensuring that your information systems are built to respect privacy.
There are three fundamental points that I would urge you to keep in mind when you're looking at what the PIPED Act has to say about how to manage an organization's human resource information.
The first is that you need to look at the spirit of the Act, not just its letter. Although the Act does apply to employment, its primary focus is on relationships between organizations and their customers. You're not often going to find black-and-white answers to detailed employment questions. You have to bear in mind the principles of the Act.
The second is that a very good starting point for assessing your personal information handling practices and systems is the reasonable person test-the question of whether personal information is being collected, used, or disclosed for purposes that a reasonable person would consider appropriate in the circumstances. That's one of the most important provisions of the PIPED Act, and I expect it to figure in provincial legislation, too. It's a sort of privacy touchstone.
The third point is that you should not confuse privacy with either confidentiality or security. These terms sometimes get used interchangeably. In fact, they're entirely separate issues.
Privacy is our fundamental right to control information about ourselves-including the collection, use, and disclosure of that information.
Confidentiality is the obligation to protect personal information in your care, to maintain its secrecy and not misuse or wrongfully disclose it.
And security is the process of assessing and countering threats and risks to information.
It's privacy that drives the duty of confidentiality and the responsibility for security. If privacy is not respected, ensuring confidentiality and security is not enough. If you collect, use, or disclose information about employees without their consent, you've violated their privacy. That fact doesn't change just because you ensure the confidentiality and security of the information.
It's useful to think of your responsibility for personal information as extending "from end to end." What that means is that from the moment personal information first touches your hands, to the moment it is properly disposed of, it is your responsibility to respect the person's privacy. It doesn't just start when you secure the information in a data base, or end when you pass the information on to another party.
So, what does all this mean for human resource information systems? What would a privacy-friendly information system look like?
Fundamentally, you need to use the guideline of "who needs to know what." Employees should be able to reveal information about themselves where they need to, as much as they need to-and no more.
Some people in your organization need access to some specific elements of employees' personal information; other people need access to other elements. A supervisor needs to know certain information about an employee's performance, for example. The human resources officer responsible for pay and benefits doesn't need to know any of that information. Conversely, the HR officer may need to know, for pay and benefits purposes, how many dependents the employee has, or his or her Social Insurance Number. The supervisor has no need to know any of that information.
It's always been good practice, and something of a challenge, to segregate these kinds of information in an organization. It's even better practice, and maybe more of a challenge, in an organization using modern digital information systems. The challenge now is to incorporate privacy principles into the architecture of the system.
Above all, it's crucial to remember the importance of knowledge and consent: employees should know what information you are collecting about them, and how you are using and disclosing it. And they should have the opportunity to exercise control over that collection, use, and disclosure, through the power of consent.
If you are constructing new human resource information systems, or making serious modifications to an existing one, you want to build privacy in at the outset. For that, a good model to emulate is the practice of the federal government-believe it or not.
For some time, I've strongly urged the federal government to do Privacy Impact Assessments of all its new or redesigned information systems, including the systems that are going into its Government On-Line initiative. I'm pleased that the government, as a matter of policy, has made these Privacy Impact Assessments mandatory for its departments and agencies. A similar kind of process, on a smaller scale, can be adopted by any business.
What this process entails, simply, is analyzing the likely impacts on privacy of a project, practice, or system. It involves looking at all the personal information practices that go into the system, such as what kinds of information are collected, how consent is obtained, how and for how long the information is kept, how it's used, and to whom it's disclosed.
You would want to look at things like the purposes for collection, use, and disclosure of personal information, the authority you have for them, what kinds of linkages there will be between this and other information, and how individuals will be able to exercise their right of access to their information. And of course you would want to look at privacy legislation and principles, and assess how your system complies with them overall.
Some of the kinds of questions you might want to consider are the following:
Will the system limit access to individuals with a need to know?
Will it be possible to make inferences about an individual's life away from work?
Will the system effectively amount to surveillance? Will you be tracking your employees' activities at work, or at least facilitating that kind of surveillance? If so, is that kind of surveillance justified?
Those are questions about possible violations of privacy. You also need to ask questions about the resources to deal with them-such as whether you have an accountability structure in place to deal with privacy issues. Is there somewhere in the organization that employees can go if they have a privacy problem? Remember that if you're in a workplace that is a federal work, undertaking, or business, you're required to be accountable for personal information in your control. You have to be able to provide people with timely access to their own personal information. Do you have someone who really understands privacy, who can help and advise them? And can that person swing some weight with managers, and ensure that they respect privacy?
This may seem complex or daunting, but it's worth it. It's an excellent way to evaluate the impacts of a management information system on privacy, and determine what's required to overcome the negative impacts.
Doing this kind of assessment enables you to sensitize the people in your organization to privacy issues. It can help you to create an organizational culture of respect for privacy, where everyone supports and understands privacy as part of the corporate goal.
And it's a very useful tool for monitoring your human resource information system over time. You've identified privacy risks, you can see whether your means of addressing them are working, and you're alert and attuned for new, unforeseen ones coming up.
Down the line, when you're reviewing the compliance of your systems with privacy legislation and principles, the assessment you've done is an excellent basis for ensuring that those involved in the review-system operators, management, and representatives of oversight bodies-understand each other and the system.
Respecting the fundamental human right of privacy is as much a business goal as the bottom line of the ledger is. In fact, it's a key part of the bottom line because your employees are your most important asset.
You serve your organization well by building it into your systems. Help your organization respect that fundamental human right of privacy, and you'll see it win the trust and respect of employees as well as customers.
Respecting privacy in the workplace imposes certain requirements on employers. They have to focus on who really needs to know what. They have to know what personal information they collect and what they do with it. They have to be honest with themselves about what they need to know, and restrain their curiosity when it runs up against employees' privacy.
That's a challenge, of course. But it's also, quite simply, good business practice. A workplace staffed by happy employees whose privacy rights are respected by the employer is a productive workplace. And that brings a competitive advantage to the firm that respects privacy.
- Date modified: