Today’s workplace looks quite a bit different than it did twenty, or even ten years ago. Smartphones are not just a luxury but a necessity, and employees are spending more and more time connected to the office, even while they are at home. Employers must grapple with significant amounts of accessible information about employees, and employees often contend with the use of work-issued technology for both professional and personal purposes.
When someone has a work-issued phone, are they allowed to log into their personal email and social media accounts? What does privacy look like in this context and how can employers deal with a changing legal landscape that at times has not yet caught up with the prevalence of various forms of technology in the workplace?
While it’s common for businesses to have a general privacy policy that provides customers with important information about how their personal data is collected and used, these same businesses often do not have similar policies for their employees.
Having a privacy policy that explains what information is being collected, how, and for what purposes, forces a company to evaluate its data collection practices to ensure compliance with applicable privacy legislation. It also offers a sense of transparency for employees, and sets out certain expectations regarding the handling of personal information. Having a privacy policy for employees is not only beneficial, but is essential to a well-managed workplace.
Technology in the workplace
While technology in the workplace such as computer-monitoring software, surveillance systems, cloud computing, and GPS tracking are providing businesses with increased monitoring capabilities, such technology also raises the importance for organizations to have employee privacy policies. For example, if a private sector employer in BC wants to introduce computer monitoring software to their workplace, they have to comply with section 13 of the BC Personal Information Protection Act (PIPA), which requires, among other things, that employers notify their employees of the manner and purposes (such as employee safety or loss prevention) for collecting personal information.
There are limited exceptions to this requirement, the details of which are included in the Act. In past privacy law decisions, the BC Office of the Information and Privacy Commissioner (OIPC) has indicated that a desirable method of such notice is through a carefully considered privacy policy.
Employee management
Along with notifying employees, a privacy policy can also be used to define an employer’s ownership of information, an employee’s right to use workplace technology for personal reasons, and the extent of an employee’s expectation of privacy when using work-issued electronic devices. When there is no privacy policy, or when a privacy policy is not brought to the attention of employees in advance, evidence of employee misconduct collected through technology (such as computer monitoring software that identifies time theft) could be suppressed.
Did you know?PrivacyRight helps small businesses and organizations in BC understand their obligations under the Personal Information Protection Act (PIPA). Webinars, videos, and podcasts provide educational content in fun and easy to understand formats.
Having a privacy policy is important for employees, as they will then be aware of their company’s expectations, the monitoring of their personal information and that any breaches of the privacy policy or any workplace contraventions identified through technology may be subject to discipline.
For employers, such policies are beneficial in managing employment relationships not only from an administrative perspective but also because when employees are put on notice they tend to adjust their workplace practices accordingly.
Risk management
Employee privacy policies can also facilitate employees’ understanding of their privacy obligations to customers, third parties, and other staff members. These policies work to establish expectations around confidentiality, employee access, and security such as technological and physical safeguards. As a result, employees will be better able to protect privacy and maintain security when they are able to recognize, act on and/or avoid privacy issues as they arise.
For example, a policy can state that sensitive work files should not be shared or distributed through cloud-based file hosting services. Along with reducing the risk of a breach, this also assists in demonstrating due diligence to the OIPC in the event of a privacy incident or complaint.
Related articles
- Crossing the US border with sensitive electronic information? What business professionals need to know
- Thwart cyber-criminals through better password policies
- Cloudy with a chance of a data leaks: What business professionals need to know before using the cloud
What should your organization’s privacy policy contain?
As a starting point, the OIPC has developed guidelines for private sector organizations when developing a privacy policy. At a minimum, the OIPC has stated that a privacy policy should address the following:
- The purposes for collection, use, and disclosure of personal information, including requirements for consent and notification;
- Access to and correction of personal information;
- Retention and disposal of personal information;
- Responsible safeguarding of information, including appropriate access controls and the use of administrative, physical, and technological security measures; and
- A process for responding to privacy complaints.
From an employee management, security, privacy, and administrative perspective, having an employee privacy policy is a proactive measure that can mitigate certain headaches for your organization down the road.
Michela V. Fiorido is a lawyer at Harris & Company LLP in Vancouver. She advises private and public sector employers on information access, protection and privacy policies as well as technology use in the workplace.