Page 37 - CCCA61_2013
P. 37
CCCA_V7No1_Privacy-FIN_CCCA 2/12/13 5:04 PM Page 37 sure that employees are aware and complying with that policy; and other social networking sites are off-limits. Feature that it’s monitored and enforced.” “People roll their eyes when I get on my high horse about this, Privacy policies must also be realistic, says Monica Muller, but if you really want to indicate that personal use is not acceptable legal counsel at the Vancouver Coastal Health Authority. “You at the workplace, don’t allow Facebook or Twitter access,” says can’t have a policy that says, ‘We don’t permit personal use of Mary Beth Currie, a partner and co-head of employment services employer-owned computers’ when people clearly are using at Bennett Jones. “That sends a clear message that there really is no them for personal purposes and the employer is permitting it. expectation of privacy while using our computer systems or the You can’t have a policy that’s wildly out of sync with reality.” employer’s computer systems — but I don’t know how many And the reality is that technology is changing and challenging employers would be prepared to do that.” almost every aspect of protecting privacy in business settings. “I What happens, though, when sensitive data is stored on an think that the realistic response is not to keep saying no,” says employee’s own phone or laptop? As more and more data is Muller, who with Sara Levine co-chairs the Freedom of stored to the cloud, and a “bring-your-own-device” (BYOD) Information and Privacy Law section of the CBA’s B.C. branch. workplace culture gains traction, employers need to ensure that “Corporate counsel has to look seriously at what’s being their administrative policies take into account the operational requested and try to match our advice to what people are doing realities of monitoring employees’ use of their own devices. — and then try to minimize the risks around that.” What Cole made clear, says Levine, associate counsel at In a health-care setting, for example, a realistic policy might Alliance Lex Law Corporation in Vancouver, is that “privacy allow for e-mailing small amounts of medical information as an rights are distinct from the ownership interest in the computer.” encrypted attachment; for larger amounts of sensitive data, employ- Paris points out that “one of the things that the court said was ees would have to be educated about using more secure methods that ownership was increasingly unhelpful in determining such as an encrypted USB stick or a secured FTP (file transfer pro- whether there is a reasonable expectation of privacy.” tocol) site. In any workplace, a policy might clearly state that an Employers also need to account for the risks associated with employee who trashes his or her company on Facebook could be BYOD policies, says Muller. “You want to be able to track and subject to discipline. Or, the company line might be that Facebook register the devices people are using in their work and make sure • Conduct the review at the end of the recruiting process, after the huge risk for organizations is the loss of data on portable devices,” initial screening of all candidates and face-to-face interviews says Muller. “Of course, the first principle is ‘Try not to transport have been conducted. large amounts of personal information on portable devices.’ USB • Tell the candidate about the review and obtain consent. sticks or phones or other devices simply should not be unencrypt- • Define in advance the information to be collected — and make ed, and they should be able to be remotely wiped.” sure that it’s all relevant to the candidate’s qualifications and suit- Limit exclusive use: Have employees regularly return or exchange ability to the position. employer-issued laptops, tablets, phones and other devices. Doing • Have someone other than the decision-maker conduct the search so, says Paris, limits the extent “to which the employee treats the and then weed out any Charter- or human rights–protected infor- devices as their own,” and thus reduces expectations of privacy mation before submitting a report to the hiring manager. and (hopefully) the likelihood that personal or otherwise inappro- Be technology-neutral: Privacy policies that try to address spe- priate information will be accessed by and stored on the compa- cific technologies or software will soon find themselves outdated, ny’s systems. says Sara Levine. Rather, she suggests establishing principle- Build it in: Build privacy into all new corporate initiatives and tech- based guidelines that apply no matter what app or website or nologies, says Levine. From customer service to social media cam- device is used — or even if no device is used at all. “Clarify that paigns to human resources to IT, “privacy should be a factor con- conduct that’s inappropriate in a face-to-face setting will also be sidered equally alongside other important business factors when inappropriate for online,” says Muller. making business decisions.” Incorporating privacy considerations Beware BYOD: When employees access and store company data into every new initiative is much easier than trying to impose it from and to their own devices, the risk of privacy breaches can afterward, echoes Muller. She suggests using technological multiply. Outline a clear privacy policy surrounding employees’ use tweaks — such as disallowing computer searches by name or of their own technology, and ensure that it — like all technology pop-up windows that remind people of proper use — that make used by the company — is properly secured and accounted for. “A privacy breaches more difficult. PRINTEMPS 2013 CCCA Canadian Corporate Counsel Association 37