In a previous article we covered the top privacy challenges facing HR in 2020. Many of these privacy concerns continue to pose challenges for HR in 2021, along with several others that have risen in importance due to the changes in our working environment. In this article, we will outline five of the top privacy challenges for HR in 2021, and suggestions for dealing with them.

1.     Respecting Employee Privacy in the Event of a Positive COVID-19 Test

As the pandemic continues, employers are confronted with questions about the amount of information they can share when an employee informs the employer that they have tested positive for the virus.

Employers are left grappling between their obligation to take reasonable steps to provide a safe working environment for their employees and their responsibility to keep private health information private.

 Do:

  • Ensure that the case has been reported to public health authorities.
  • Send a notification to employees that a possible transmission could have occurred.
  • Specify times and general locations where transmission may have occurred.

 Don’t:

  • Reveal the identity of the employee in question (except in rare circumstances).
  • Reveal information that inadvertently identifies the employee, like the employee’s workstation.
  • Pressure an employee into giving permission to identify themselves.

Keep in mind that once someone has tested positive for the virus, Public Health Officials will take over the contact tracing and notification process.  Your employees may be notified individually if they have been identified as a direct contact with a positive case, and the Health Officials will provide the necessary amount and type of information, and guidance on confidentiality.

2.     Breaches of Employee Information

Most breaches of employee information are not by external but internal players. These breaches are typically accidental, sometimes through negligence, and in some cases by intent. Internal breaches are on the rise, further fuelled by our increased use of digital communication.

Additionally, ransomware attacks, email phishing, social engineering, and network compromises are on the rise. Ransomware attacks alone increased by 41% in 2019. Ransom demands in Canada for 2019 totalled $341 million, but when downtime and indirect costs were factored in, this number rose to $2.3 billion

[source].

A breach of employee information can result in:

  • Financial: loss of funds, credit, employment (fraud and ID theft),
  • Personal: humiliation and loss of status or reputation (disclosure of work to colleagues or family),
  • Physical: damage to the person or property (disclosure to potential criminals).

Do:

  • Consider how safe employee information is and if protection needs to be updated.
  • Have a plan for what you’ll do in the event of a breach.

Don’t:

  • Keep employee information you don’t need.

3.     Breaches of Personal Information while Working Remotely

With remote work comes increased risk associated with informational privacy. Employees take home devices and data that typically wouldn’t leave the office and are using online programs more than ever.

The most common privacy breaches are:

  • Theft: through cyber-attacks or theft of computers, hard drives, or memory sticks.
  • Loss: through the physical loss of computers, hard drives, or memory sticks.
  • Accidental Disclosure: if an employee accidentally sends personal information to the wrong person.

 Do:

  • Have a procedure in place if an employee loses a computer, hard drive, or memory stick.
  • Have a procedure in place if an employee accidentally sends personal information to the wrong person.
  • Ensure company devices are correctly password protected in the event of theft or loss.

Don’t:

  • Assume theft or loss won’t happen.
  • Use overly simplistic passwords on company devices.
  • Put pressure on employees to rush through work as this can increase the likelihood of accidental disclosure errors.

4.     Ensure HR is Collecting the Right Personal Information

With the transition into remote work and the increased chance of a cyber-attack, now is a good time to audit if you’re collecting the right kind of personal information about employees and applicants.

Do:

  • Consider what personal information you need to be collecting versus what you can manage without.
  • Audit your organization’s job application forms.
  • Collect SIN numbers only at hire.
  • Ask for demographic information only if required for an established program or by law, for example: to report to the Government of Canada those new employees who identify as Indigenous.
  • Use literacy/numeracy testing only when necessary.
  • Ask ‘if eligible to work in Canada’ instead of more invasive questions.

 Don’t:

  • Ask for information on job application forms that is not necessary, including SIN numbers.
  • Store personal information in insecure locations.
  • Ask demographic information that isn’t required for an established program or by law.

5.     New Possibilities with Social Media Use During Staffing and Recruitment

As our world becomes increasingly digital, it can be tempting to have a look at an applicant’s social media. Before you do, there are some do’s and don’ts to consider.

Do:

  • Understand that how an employee conducts their private life often has little to do with their abilities as a current or potential employee.
  • Guard against using personal information gathered from social media, or any other online source, in a discriminatory manner against a job candidate or an existing employee.
  • Understand that social media pages, even if publicly available, can contain inaccurate, distorted or out of date personal information about job applicants.
  • Ensure current employees know that social media information may seem transitory, but once personal information is posted online, it gains permanence and can be shared and searched by others.

 Don’t:

  • Make assumptions based on an employee or applicant’s social media unless it poses a risk to the organization or implies illegal activity.
  • Rely solely on information from employee or applicant’s social media profiles.

In all of these instances, your best offense against breaches and missteps includes comprehensive, up-to-date policy, and regular employee training and monitoring!

 

Take the first step towards understanding your Privacy and Information obligations while reinforcing confidentiality within your workplace by contacting us today! Cenera’s Privacy and Information Management professionals are committed to providing outstanding data governance and security strategies, policy development support, and privacy training.

Book your complimentary consultation! 

P: 403.290.0466
E: contact us