Put Your House in Order – Pitfalls of Inadequate Privacy Policies
Privacy concerns are often overlooked when considering an organization’s risks and liabilities. Internal policies and mechanisms, if not structured properly, can leave an organization open and vulnerable to breaches ranging from inadvertent disclosure of information to cyber-attacks and data breaches.
The Personal Information Protection Act (“PIPA”) is Alberta’s guide to the protection of an individual’s personal information by organizations in the private sector. For the most part, PIPA will apply to all organizations in Alberta that are not public bodies and do not fall directly under PIPEDA, the federal legislation that applies in Alberta in relation to federal works, undertakings or businesses.
Accordingly, privacy legislation applies to all Alberta corporations in the construction industry, the majority of which will fall under PIPA. Organizations are required to protect the personal information of individuals, which includes customers and employees.
PIPA was designed to “govern the collection, use and disclosure of personal information by organizations in a manner that recognizes both the right of an individual to have his or her personal information protected and the need of organizations to collect, use or disclose personal information for purposes that are reasonable” (PIPA, section 3).
PIPA defaults to there being no collection, use, or disclosure of personal information without consent of that individual and even where there is consent, personal information is only to be collected, used, or disclosed for purposes that are reasonable. While exception provisions do exist, they are for a limited number of circumstances that are clearly identified in the legislation.
One of the easiest ways to safeguard against potential breaches by an organization is to ensure privacy policies are robust and updated regularly. An organization does not have an absolute right of collection, use, and disclosure simply because notice was provided to its employees. Without express consent or acknowledgment by employees of how their information will be collected, used, and disclosed, organizations open themselves up to liability for failure to abide by privacy requirements.
Takeaway: Your policies should clearly identify what information is being collected, how it is being used, and under what circumstances that information will be disclosed.
Employee monitoring is a very broad category, and can include everything from biometric scanning data, to punch cards, to video surveillance. Generally, regardless of the level of technology, the practical implications of privacy legislation remain the same: are the measures being taken by the employer reasonable?
An organization implementing any type of technology that may collect personal information of employees, will still remain subject to the reasonableness test. Practically, this means an organization must demonstrate the use of the technology was necessary and reasonable in the circumstances and implementation.
For example, where surveillance cameras are set-up on a job site for security purposes, employees should be aware of the details of the surveillance, its purpose, and what information may be collected and retained.
Takeaway: Organizations do not have a carte blanche to operate surveillance simply for the sake of surveillance without reviewing the reasonableness standard and providing appropriate notice.
Protection of Information
Not only does PIPA provide rules for the use, collection, and disclosure of personal information, but it also requires organizations to protect personal information and self-report in the case of unauthorized loss or disclosure where a real risk of significant harm exists.
Practically, this means organizations are tasked not only with ensuring they are on the right side of requirements for the collection, use, and disclosure of personal information, but they are also required to protect that information.
Privacy policies should clearly address how information is safeguarded, including sensitive and confidential documentation. Without appropriate safeguards in place and knowing the appropriate procedures to use when sharing sensitive information both internally and externally, organizations open themselves up to liability and loss.
Takeaway: Safeguards must be established to appropriately protect personal information.
Protecting the House
Overall, the risks and liability for failure to adhere to the privacy legislation falls squarely on the shoulders of the organization – they bear the burden on proving the reasonableness of their methods. An organization can be reported and investigated for privacy breaches, resulting in possible sanctions by the privacy commissioner and opening the organization up to further damages if a breach is found.
An organization’s best response to protecting sensitive business information and minimizing their exposure to potential breaches of privacy legislation is to be proactive, not reactive:
- Develop internal procedures for handling personal information/employee personal information. Especially with respect to the organization of records in the event you receive a request for information from a third party and are required to respond. Organization and pre-planning make this a much less time intensive and expensive exercise.
- Develop policies that clearly identify what information is being collected, how it is being used, and under what circumstances that information will be disclosed.
- Train staff on how to properly handle personal information and introduce confidentiality agreements.
- Limit the amount of personal information collected to only what is necessary.
- Establish safeguards for the protection of personal information.
- Establish procedures for the review of monitoring technology with an eye to reasonableness of the use of such technology.
- Review contracts, policies, procedures, and coverage regularly to ensure liability is minimized, or at least addressed, in terms of potential cyber-attacks and data breaches.
- Review contracts and ensure privacy provisions are present, for the protection of personal information and business records, especially in the case of sensitive business or trade information that may be susceptible to disclosure.