The Evolving World of Privacy in the Workplace: A day in the life of a Privacy Officer

Monic Pratch Chief Privacy Officer, Corporate Secretary and Legal Counsel FortisBC Group of Companies

April 28, 2015

5 Common Employee Privacy Matters that I see in my role as Chief Privacy Officer:

1. Access Requests for Employee Information

2. Internal Audit & Employee Privacy

3. Internal HR Processes – Simple Reminders

4. Workplace Investigations & Employee Privacy

5. Use of PIAs in the Private Sector HR Context

2

1. Access Requests for Employee Information

• Who is making the request? • Employee request pursuant to PIPA

• need to review file to ensure it is PIPA compliant

• use a standard request form

• Lawyer representing employee • clarify if the request is a PIPA request or a request as part of a

litigation proceeding as there are different obligations

• use a standard request form

• ensure the request from the law firm is specific (ie. is it limited to a specific time period? Is it limited to certain records?)

• ensure your response is limited to the records requested

3

4

• Requests from Third Party Agencies • ask “Under what statutory authority are they making the

request?”

• review the statute and if you are uncomfortable seek legal advice.

• Requests for aggregated data with personal information removed • ensure data is properly de-identified and cannot be re-

identified

• ask for what purpose they want the data and how they are going to use the data

2. Internal Audit and Employee Privacy

“Oh no, I’m getting audited……or at least my Privacy Management Program is getting audited…..”

Some immediate questions that arise:

1.What is an audit?

2.What is the Internal Audit department’s role?

3.What is the Privacy Officer’s role in an audit?

4.What are the outcomes of an audit?

5

Internal Audit “Internal auditing is an independent, objective assurance and consulting activity designed to add value and improve an organization's operations. It helps an organization accomplish its objectives by bringing a systematic, disciplined approach to evaluate and improve the effectiveness of risk management, control, and governance processes.” Institute of Internal Auditors

http://www.theiia.org

6

Benefits of having a Privacy Audit by your Internal Audit department:

• Provides an objective viewpoint on privacy matters and highlights new potential issues

• Provides insight regarding the organization’s risk tolerance from the department that assesses risk

• “Trains” internal audit to recognize privacy risks in other audits

• Raises the profile of privacy matters within an organization’s senior management team

7

3. Internal HR Processes – Simple Reminders (that if not followed could have significant implications) Reminder 1: Remember physical security

• There is so much focus on electronic records and processes, but sometimes we need to remember that physical processes need to be reviewed as well.

• A few tips:

• don’t leave employee files on desktops

• lock the filing cabinet where employee records are kept

• have a sign out system for employee records

• use screen protectors

Reminder 2: Little things count

• double check the email address you are sending

• get a peer review of correspondence containing sensitive personal information

8

Reminder 3: Convenience is not necessity

• remember to always send only what is necessary, so ask yourself

• do I really need to include all of this?

• for what purpose do I need to include it?

• is there a less privacy intrusive way of doing this?

Reminder 4: Remember that emails become records

• …. and records can be accessed pursuant to PIPA and in litigation proceedings

• the more email records you create, the more records you become responsible for (and potentially liable for)

9

4. Workplace Investigations & Employee Privacy

In the context of a workplace investigation (not involving a privacy breach), some common questions:

• Am I allowed to collect information from a third party regarding the individual that is the subject of the complaint?

• The investigation is complete and the individual is requesting access to the investigation report, how much information can I provide them?

• The investigation is complete and the Union is requesting access to the investigation report, how much information can I provide them?

10

There’s been a privacy breach with respect to employee personal information. Who should handle the investigation?

• The role of HR

• The role of the privacy officer

• Follow your breach management protocol

• Refer to: “Privacy Breaches: Tools and Resources” published by the BC OIPC in March 2012.

11

5. Use of PIAs in the Private Sector HR Context Not mandatory….but prudent (in my opinion)!

• When to use a PIA?

• Purpose of a PIA

• Forms of PIAs

• Benefits of a PIA

• Due diligence

• Precedent for future projects

• Roadmap to mitigate privacy concerns

12

“When it comes to privacy and accountability, people always demand

the former for themselves and the latter for everyone else.”

-David Brin

13

Questions?

14

Find FortisBC at:

Fortisbc.com

604-576-7000

For further information, please contact:

Monic Pratch

monic.pratch@fortisbcholdings.com

(250) 469-6059