Christina Catenacci, BA, LLB, LLM, PhD
I recently read an investigation report from the Alberta Office of the Information and Privacy Commissioner, where an employer made a big mistake and ended up violating the privacy of at least 25 employees.
The employer, a public body, had an agreement with Equifax Canada under which it was permitted to access the Equifax database to obtain credit reporting services for legally permissible purposes to conduct its work involving collecting child and spousal support payments and forward them to rightful persons. It could conduct credit checks by logging into the Equifax database, entering an individual’s identifying information (name, date of birth, social insurance number), and viewing or printing the individual’s credit report (no one could save the report).
There was an internal investigation within the public body into allegations of fraudulent cheques being cashed at various locations. It was ultimately determined that the breach was external, so the investigation was handed over to a municipal police service. However, it was still possible that an internal employee was involved in the forgeries.
Consequently, the public body decided to rule out the risk of internal involvement by obtaining credit reports on all employees working in the relevant units of the workplace. The special investigations unit was told to conduct these searches using the names, dates of birth and social insurance numbers of employees to obtain the credit reports. The credit reports were printed and delivered directly to the director of compliance. The conclusion was that there were no identified risks. The credit reports were then provided to the executive director. According to the public body, the credit reports were shredded, but this could not be confirmed because the executive director had since left the public body.
Well, you shouldn’t be surprised when the affected employees complained to the Office of the Information and Privacy Commissioner. The employees asserted that the public body violated their privacy by conducting credit checks on them without their knowledge or consent. They wanted to know why this was done, who ordered it and what could be done to correct it.
The employer admitted that it was in error. The Office of the Information and Privacy Commissioner agreed that the employer’s actions clearly violated the Freedom of Information and Protection of Privacy Act.
The public body accessed credit reports that typically contained an individual’s name, social insurance number, date of birth, address, employer name, credit inquiries, judgments, past and present history of credit checks, credit rating, level of payments and updates. The public body did this without the knowledge or consent of the individuals. The collection and use of the information was not authorized under the Act. The records were only disclosed internally to the manager, the director of compliance and the executive director.
Since the employer knew it made a mistake by conducting the credit checks on its employees, it attempted to minimize the blow and ensure it would not happen again by:
The employer also made it clear that employees were not to be investigated in the future.
The Office of the Information and Privacy Commissioner noted the employer’s remedial actions and commented that there was no point in taking the matter further, as there was no remedy available for the employees under the Act.
Even though the employer made a mistake that violated the Act, the employer did the right thing in the end by admitting it was in error, apologizing and ensuring the error would never be repeated.
I’m wondering, does your organization have a system in place to protect your employees’ personal information contained in personnel records? Do you hold on to extraneous information, or do you have procedures in place to discard unnecessary or dated information? Do you have policies and procedures in place regarding methods of physical protection of information, and computer security protection strategies? Have you trained your employees in these policies and procedures?
Christina Catenacci
First Reference Human Resources and Compliance Editor
I’ve discussed workplace gossip here before, and what bosses can do to prevent it or at least reduce the potential harm, but there are a couple of hyper-modern developments that I didn’t get into: reality television and the Internet. These two things have created a culture of “sharing”, for lack of a better word, that encourages people at play or work to divulge the most mundane and private details of their lives to others—the kind of information that one previously might only have shared with family or best friends.
Adam Gorley
I’ve discussed the Privacy by Design principle before, in the Inside Internal Control newsletter. In case you don’t know, PbD is an approach developed by Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, which proactively embeds privacy protection by default in the design of an organization’s practices and products.
Colin Braithwaite