As we look back on 2019, we know one thing for sure: the HR and privacy landscapes are becoming increasingly complex and intertwined.
HR professionals are not only responsible for protecting sensitive information about employees and management, but they also must safeguard this information under laws governing privacy and confidentiality.
Here are six privacy issues that we predict will continue to confront HR professionals in 2020:
1. Employee Surveillance
Emerging surveillance technologies give companies the ability to monitor their workers’ every move, but employers have to be careful not to invade employee privacy.
All surveillance – email, video, phone, computer, vehicle GPS tracking – is considered a collection of personal information, which means proper policies, procedures, and notices are a must.
- Are there legitimate issues that your organization needs to address through surveillance?
- Is the surveillance likely to be effective in addressing these issues?
- Is the surveillance conducted in a reasonable (i.e., least intrusive) manner?
2. Drug Testing
Drug and alcohol use/impairment in the workplace is a legitimate concern, and cannabis legalization adds another dimension. Drug testing of employees has long been seen as the method to deal with this problem. But with so much over-collection of employee information, the privacy issue remains: is the amount of information collected properly limited and is it effective for the purpose?
An analysis of the most common methods and their privacy implications:
- Post-Incident or reasonable cause: because there is reasonable cause, the testing is limited and considered effective
- Pre-employment or pre-access: limitation to safety-sensitive jobs or site helps, but effectiveness is in question
- Accommodation monitoring: scope is limited to specific individuals and effective for the program
- Random: considered very intrusive as a constant covert possibility for any employee. For the same reason, it can be effective as a deterrent. Court considerations of the privacy issues still limit this method to specific situations.
When conducting a workplace investigation, collect, use and disclose only the type and amount of information necessary. Hold all records related to the investigation in a secure manner, separate and apart from other HR records, and restrict access on a “need to know” basis.
Who is notified about an investigation?
- Parties and witnesses of value, and supervisors/managers only if workplace changes are required.
- C-suite only if there are matters of liability or risk requiring their attention.
Who gets to see the report and the records?
- Circulate the report only among the final decision-makers because it contains sensitive personal information, and widely circulating may negate any future claim of privilege.
- Inform the complainant of the outcome and of decisions that directly affect his or her work.
- Inform the respondent of the outcome and any action that is directly applicable to him or her.
- Upon request, provide access to records under applicable legislation, considering, among others, provisions to protect third party personal information and your organization’s decision-making processes.
- Provide records when compelled by police, or for court or quasi-judicial proceedings.
4. Occupational Health Privacy
Employers and HR encounter employee health information most often during fitness to work assessments, disability management and safety and injury tracking. Generally, the privacy standard is that only medical professionals (doctors, therapists, OHS nurses) get access to employee health information.
This means that employers (other than on-staff OHS medical professionals) should not see or know about:
- Full medical assessment beyond any work conditions that may be required
- Employee’s medical diagnosis, prognosis or therapy (including medication)
- Employee assistance
The exception again would be Accommodation cases where HR may need to verify employee participation in a therapy program, for instance.
Note that the Health Information Act in Alberta, which regulates the privacy and security of all health information, does not generally apply to employee health assessments and monitoring.
5. Workplace ‘Reach’
With the rise of remote workers, flex time and social media, it’s becoming increasingly difficult to define what is and isn’t the workplace.
When does an employer have ‘reach’ for monitoring, investigation, or discipline?
If an employee’s out of hours conduct is likely to:
- Cause serious damage to the relationship between the employer and employee
- Cause damages to the employer’s interests
- Is incompatible with the employee’s duties as an employee (violation of policy)
To minimize risk of harm to reputation and brand, and risk of vicarious liability for an employee’s out of hours behaviour, employers should:
- Have a suitable workplace code of conduct and social media policy
- Inform employees of their rights and obligations and the circumstances under which they may be disciplined or terminated for their behaviour beyond the workplace.
Employees should be aware:
- When using social media in a workplace context, including a social media account hosted by their employer
- That their personal information, including off-duty comments and postings on social media about workplace issues can be collected, used and disclosed by the employer
6. Privacy Breaches of Employee Information
Protecting employee information has become just as vital as safeguarding client or patient data. Some of the biggest privacy breaches in the world and in Canada have involved mainly employee information.
Here are the kinds of harms that can result from employee privacy breaches:
- Financial harm: loss of funds, credit, employment, fraud and ID theft
- Humiliation: loss of status, reputation, disclosure to work colleagues, family
- Physical damage to person or property: disclosure to potential threats
Email phishing, social engineering, ransomware attacks, and network compromises are on the upswing, and employees are often the victims.
Also remember, at the provincial and federal private-sector levels, privacy breaches that pose a significant risk harm must be reported to the privacy regulator and, if found significant, are reported to the public. That’s one list you don’t want to be on.
BONUS Privacy Issues
Want to continue reading? Great! There’s more where this came from. Read our comprehensive list of Top 10 privacy issues confronting HR by downloading our presentation slides here.
As we anticipate the year ahead, HR professionals must understand the importance of maintaining confidentiality and protection of private information. Effective information and privacy management directly supports all aspects of your business and reputation.
Take the first step towards understanding your Privacy and Information obligations while reinforcing confidentiality within your workplace by contacting us today! Cenera’s Privacy and Information Management professionals are committed to providing outstanding data governance and security strategies, policy development support, and privacy training.
Book your complimentary consultation!
Never miss an update, click here to subscribe to our monthly newsletter.