This is an employee privacy "hot topics" presentation to human resources professionals. It includes sections on sources of employee privacy rights, screening candidate's internet presence in the recruiting process, access to employee communications, cross-border information processing and pandemic planning.
Everything You Need To Know About Workplace Privacy
1. Everything you need to know about workplace privacy Dan Michaluk January 27, 2010
2.
3.
4.
5. How to run an internet background check An information collection model for efficient and compliant recruiting
6.
7.
8.
9.
10.
11.
12.
13. How to manage the risk of disease Employer Employee HCP Medical Advisor
14.
15.
16.
17. Everything you need to know about workplace privacy Dan Michaluk January 27, 2010
Hinweis der Redaktion
Thank you Trained as an employment lawyer Strong information management and privacy focus Built this need to know presentation around recent experience⊠types of questions weâre getting Excited to deliver it Five topics OnlyâŠ. thirteen slides of substance So letâs take questions while we go and see how it flows
Two slides on âwhere do employee privacy rights come from?â What do you have to worry about? Here are the four sources⊠thatâs it Statutory codes -four of them -comprehensive codes based on fair information practices -backed by administrative means of enforcement and anti-reprisal protection Other statutes -Income Tax ActâŠ. written consent to use a SIN for non-tax purpose -Ontario OHSA⊠canât seek to gain access to a health record -Charter. Government? Law of unionized workplace â reasonableness doctrine Civil claims for breach of contract and tort⊠risk more and more realâŠ. but s there a practical means of enforcement?
How many from Ontario? How many provincially regulated employers with employees in provinces other than BC, Alberta and Quebec? Your unionized employees can grieve a privacy violation But what about non-union employees? No statute. No access to arbitration. Can you run rough over employees because thereâs a gap? There is certainly broader scope to manage here⊠engage in things like surveillance⊠monitoring⊠but donât be too aggressive Bad facts make bad law Colwell an example⊠first privacy breach constructive dismissal claim Somwar was a current employee If it a medical information management issue then you may have a link to HR liability
Hot, hot topic⊠Who does it? Collecting personal information thatâs been published has very limited protection in lawâŠ. If its out there its out there eh? Only talk about need for change because of the social media phenomenon If you are federally regulated or employing in one of the three provinces there are regulatory risks -authorization -necessity and reasonableness -accuracy But the more pertinent risk is human rights risk Employers have employed structured recruiting processes to manage risk Qualify first through application form â in Ontario backed by section 23 of Code Assess in interview â More information⊠some employ structured interviews Check background last⊠- most sensitive information Protects against discrimination claims based on knowledge Think of all the crazy stuff thatâs online!!!
I think there are cases when you want to do it If youâre hiring someone for a position where there reputation matters a check may be necessary It may be irresponsible not to check Hereâs how to do it,,,, avoid the temptation to troll! -do it at the end -think about what information is relevant to the job⊠what are you looking for -write it down⊠make it objective -ideally, give it to someone whoâs not a decision-maker -get a report back -report becomes the formal record so you donât have to deal with production disputes about internet search logs
Another hot topic⊠electronic communications monitoring Letâs talk about the established lawâŠ. Hereâs what its based on -computers were a tool to do your work -many reasons to inspect -warned of inspections No reasonable expectation of privacy Arbitrators were not even balancing interests You could do it because you said you could do it
Things are changing though Look at the trends -More and more personal use (Who would prohibit online banking? Collection possible through keylogging.) -Mobile devices channel communications through network 24 hours a day -Starting to use social media applications for business purposes Natural to say that employeesâ expectations rising If you talk to the person on the street they think its private This is a problem for employers
So⊠will the law catch up? Weâre seeing signs of change -Quon is a case from California -Going to the USSC -Facts show âinformal policyâ ⊠-Exactly the point⊠policy not attuned to reality will not be enforced and therefore not enforceable In Ontario, important case going to OCA called Cole -Criminal case -Teacher at school board -Judge said no expectation of privacy -But worked very hard at it⊠facts were unique
So hereâs your choice You can say NO EXPECTATION OF PRIVACY louder May help But people (including your line managers) may not think your serious Courts may not think your serious So if you do only that ⊠think about how to demonstrate your serious The alternative is to recognize a limited right to privacy -but we will audit⊠hereâs how -we will investigate⊠hereâs when⊠hereâs who -we will extract and sort through your full e-mail file if we get into litigation -you put yourself there at your option Then stay within the boundaries⊠demonstrate respect for privacy should help
Lots and lots of questions about this Companies running HRIS out of the US Maybe itâs our economy I hate the question Very hard to compare socio-political risks Lots of employees scared about USA Patriot Act⊠But is it a risk? Can get into debates amongst the uninformed (both sides uninformed) Here are the rules -Data security is important -If youâre outsourcing⊠put in all the same strong protections⊠due diligence -Be aware of socio-political conditions that may cause data risks -Notice is the key special requirement â PIPEDA yes, Alberta yes in policy (new, applies to parent corporations), Quebec yes, BC uncertain more uncertain but⊠(Fox case) -Cross-Canada employers might as well notify⊠not hiding it from anyone
This is really a slide that stresses good outsourcing practices Applies if youâre giving it to a external service provider Due diligence is important⊠know all the details about who youâre giving it to (hire a security expert with knowledge of data centers to ask the questions) Contract is key â two key things â control plus security Assume that notice is required unless you get an unqualified legal opinion telling you youâre a-okay
Designed this at the time H1N1 was at its peak Still important Before we get into the application⊠hereâs a slide that Iâve used and that people have found helpful in determining the roles in employee medical information management In particular, its helped resolved the conflict that your contract or employed medical advisors may feel Letâs be clear⊠they work for you in most cases They assess, they facilitate return to work and so on They are medically trained members of human resources who also act as a privacy screen (means by which the need to know principle is respected) You need to make that clear to employees Employee health care providers have the health care relationship⊠fiduciary duty If you do provide health care (to eeâs) you have to be very careful about separating two roles⊠conflict⊠need to be careful⊠another talk
Objective â keep employees who are sick out of the workplace Tactic â gate screening for H1N1 infection risk Tactic â return to work screening for H1N1 infection risk MOHLTC guide endorses screening -symptom based (generally no practical ability to rely on diagnoses) -to support a medically valid assessment Federal, BC and Alberta Commissioners said short of a state of emergency you donât need to ask for sharing health status, including diagnosis Just say youâre sick⊠yikes! Slightly qualified, but a warning To protect yourself -follow the lead of your local health authority -think about the appropriate trigger for routine/gate screening (versus reasonable grounds questioning) -⊠and so on
Objective â allow people to mitigate harm Scenario â employee living with vulnerable member of the population More aggressive Use a very case-by-case approach Implement some objective threshold â âreal likelihood of exposureâ Makes sense to notify the person whose information is disclosed
Post frequently at slaw.ca Look for background check article that went up this morning