This is an employee privacy "hot topics" presentation to human resources professionals. It includes sections on sources of employee privacy rights, screening candidate's internet presence in the recruiting process, access to employee communications, cross-border information processing and pandemic planning.
Borderless Access - Global B2B Panel book-unlock 2024
Everything You Need To Know About Workplace Privacy
1. Everything you need to know about workplace privacy Dan Michaluk January 27, 2010
2.
3.
4.
5. How to run an internet background check An information collection model for efficient and compliant recruiting
6.
7.
8.
9.
10.
11.
12.
13. How to manage the risk of disease Employer Employee HCP Medical Advisor
14.
15.
16.
17. Everything you need to know about workplace privacy Dan Michaluk January 27, 2010
Notas del editor
Thank you Trained as an employment lawyer Strong information management and privacy focus Built this need to know presentation around recent experience… types of questions we’re getting Excited to deliver it Five topics Only…. thirteen slides of substance So let’s take questions while we go and see how it flows
Two slides on “where do employee privacy rights come from?” What do you have to worry about? Here are the four sources… that’s it Statutory codes -four of them -comprehensive codes based on fair information practices -backed by administrative means of enforcement and anti-reprisal protection Other statutes -Income Tax Act…. written consent to use a SIN for non-tax purpose -Ontario OHSA… can’t seek to gain access to a health record -Charter. Government? Law of unionized workplace – reasonableness doctrine Civil claims for breach of contract and tort… risk more and more real…. but s there a practical means of enforcement?
How many from Ontario? How many provincially regulated employers with employees in provinces other than BC, Alberta and Quebec? Your unionized employees can grieve a privacy violation But what about non-union employees? No statute. No access to arbitration. Can you run rough over employees because there’s a gap? There is certainly broader scope to manage here… engage in things like surveillance… monitoring… but don’t be too aggressive Bad facts make bad law Colwell an example… first privacy breach constructive dismissal claim Somwar was a current employee If it a medical information management issue then you may have a link to HR liability
Hot, hot topic… Who does it? Collecting personal information that’s been published has very limited protection in law…. If its out there its out there eh? Only talk about need for change because of the social media phenomenon If you are federally regulated or employing in one of the three provinces there are regulatory risks -authorization -necessity and reasonableness -accuracy But the more pertinent risk is human rights risk Employers have employed structured recruiting processes to manage risk Qualify first through application form – in Ontario backed by section 23 of Code Assess in interview – More information… some employ structured interviews Check background last… - most sensitive information Protects against discrimination claims based on knowledge Think of all the crazy stuff that’s online!!!
I think there are cases when you want to do it If you’re hiring someone for a position where there reputation matters a check may be necessary It may be irresponsible not to check Here’s how to do it,,,, avoid the temptation to troll! -do it at the end -think about what information is relevant to the job… what are you looking for -write it down… make it objective -ideally, give it to someone who’s not a decision-maker -get a report back -report becomes the formal record so you don’t have to deal with production disputes about internet search logs
Another hot topic… electronic communications monitoring Let’s talk about the established law…. Here’s what its based on -computers were a tool to do your work -many reasons to inspect -warned of inspections No reasonable expectation of privacy Arbitrators were not even balancing interests You could do it because you said you could do it
Things are changing though Look at the trends -More and more personal use (Who would prohibit online banking? Collection possible through keylogging.) -Mobile devices channel communications through network 24 hours a day -Starting to use social media applications for business purposes Natural to say that employees’ expectations rising If you talk to the person on the street they think its private This is a problem for employers
So… will the law catch up? We’re seeing signs of change -Quon is a case from California -Going to the USSC -Facts show “informal policy” … -Exactly the point… policy not attuned to reality will not be enforced and therefore not enforceable In Ontario, important case going to OCA called Cole -Criminal case -Teacher at school board -Judge said no expectation of privacy -But worked very hard at it… facts were unique
So here’s your choice You can say NO EXPECTATION OF PRIVACY louder May help But people (including your line managers) may not think your serious Courts may not think your serious So if you do only that … think about how to demonstrate your serious The alternative is to recognize a limited right to privacy -but we will audit… here’s how -we will investigate… here’s when… here’s who -we will extract and sort through your full e-mail file if we get into litigation -you put yourself there at your option Then stay within the boundaries… demonstrate respect for privacy should help
Lots and lots of questions about this Companies running HRIS out of the US Maybe it’s our economy I hate the question Very hard to compare socio-political risks Lots of employees scared about USA Patriot Act… But is it a risk? Can get into debates amongst the uninformed (both sides uninformed) Here are the rules -Data security is important -If you’re outsourcing… put in all the same strong protections… due diligence -Be aware of socio-political conditions that may cause data risks -Notice is the key special requirement – PIPEDA yes, Alberta yes in policy (new, applies to parent corporations), Quebec yes, BC uncertain more uncertain but… (Fox case) -Cross-Canada employers might as well notify… not hiding it from anyone
This is really a slide that stresses good outsourcing practices Applies if you’re giving it to a external service provider Due diligence is important… know all the details about who you’re giving it to (hire a security expert with knowledge of data centers to ask the questions) Contract is key – two key things – control plus security Assume that notice is required unless you get an unqualified legal opinion telling you you’re a-okay
Designed this at the time H1N1 was at its peak Still important Before we get into the application… here’s a slide that I’ve used and that people have found helpful in determining the roles in employee medical information management In particular, its helped resolved the conflict that your contract or employed medical advisors may feel Let’s be clear… they work for you in most cases They assess, they facilitate return to work and so on They are medically trained members of human resources who also act as a privacy screen (means by which the need to know principle is respected) You need to make that clear to employees Employee health care providers have the health care relationship… fiduciary duty If you do provide health care (to ee’s) you have to be very careful about separating two roles… conflict… need to be careful… another talk
Objective – keep employees who are sick out of the workplace Tactic – gate screening for H1N1 infection risk Tactic – return to work screening for H1N1 infection risk MOHLTC guide endorses screening -symptom based (generally no practical ability to rely on diagnoses) -to support a medically valid assessment Federal, BC and Alberta Commissioners said short of a state of emergency you don’t need to ask for sharing health status, including diagnosis Just say you’re sick… yikes! Slightly qualified, but a warning To protect yourself -follow the lead of your local health authority -think about the appropriate trigger for routine/gate screening (versus reasonable grounds questioning) -… and so on
Objective – allow people to mitigate harm Scenario – employee living with vulnerable member of the population More aggressive Use a very case-by-case approach Implement some objective threshold – “real likelihood of exposure” Makes sense to notify the person whose information is disclosed
Post frequently at slaw.ca Look for background check article that went up this morning