Designing an Employee Privacy Program

Speakers

David Longford, Chief Lyndsay A. Wasser, CIPP/C, Oxana Iatsyk, CIPP/C, General
Executive Officer, Co-Chair, Privacy & Data Counsel, Privacy Officer and
DataGuidance by OneTrust Protection Corporate Secretary, Ruby
Co-Chair, Cybersecurity, Life Inc.
McMillan LLP
 Outline
I. Welcome and Introductions
II. Designing a Global Program
III. The HR Lifecycle; from Application to Exit
IV. Monitoring - Challenges posed by tech / innovation
V. Panelists’ Perspectives
VI. Questions and Answers
VII. Closing Remarks
 Designing a Global Program

• Challenges
– Balancing different legal regimes (e.g., GDPR versus Canadian laws)
– Structure versus flexibility
– Local “buy-in”
• Benefits
– Positive employee relations
The HR Lifecycle; from Application to Exit

• Background checks, including use of social media

• Managing the Relationship - Rights of candidates,
responsibilities of employers
• The post-employment relationship
• Common misconceptions
Monitoring - Challenges posed by tech /
innovation
• Video surveillance; GPS tracking; Computer monitoring;
Call recording
• Legal bases and contracts
• Proportionality and business drivers
• Awareness and training
 Panellists' Perspectives

• How do I begin building an employee privacy programme?

• How do I maintain effectiveness during organisational
change?
• Where can it all go wrong?
• What are some regional approaches used by multinationals?
 Effective Employee Privacy Program
• Define geographical and corporate governance structure (centralized or
• Conduct periodic audits of data access, consent and retention distributed)
practices and compliance • Understand organization’s composition (union, contractors, employees)
• Address data protection concerns identified during audits • Identify and review applicable laws
• Conduct periodic mock breach exercises; implement “post • Locate and review current policies, procedures and practices
mortem” policy revisions
• Locate and review current privacy-related communications to employees
• Review and improve contracts, policies, practices and
• Identify employee data collected, its location, reasons for data processing and
guidelines, to reflect the evolving legal requirements and
extent of data transfers between various company locations
case law
• Identify 3rd party vendors having access to employee data
• Document changes to policies and procedures
• Locate and review Offer Letter, Employment and Independent Contractor
• Report to stakeholders
Agreement templates
• Review current service agreements for the vendors having access to employee
Evolve data, incl. recruiters
• Identify technologies used to screen and monitor employees
• Identify gaps in privacy compliance

CPO Assess

• Limit the scope of personal data collection and processing

Implement • Define an employee privacy roadmap
• Train and retrain new and current employees • Assign responsibilities for data privacy throughout the organization
• Track data and access to it, and data processing reasons
Track employee consent, training completion, policy
Build • Develop training materials
receipt acknowledgement, compliance • Draft Data Processing Agreement/contract clauses
• Update internal templates and vendor agreements as necessary
• Implement and watch adherence to data retention rules
• Respond to employee and third-party privacy-related • Advise HR of limits on background checks and employee monitoring
inquiries within reasonable time • Communicate and post privacy related notices, policies and guidelines for easy
• Audit privacy practices of potential vendors access by employees
• Define and communicate data security-related policies and guidelines, including
• Log, review, address and report when necessary privacy
those re breach notification, and third-party vendor assessment rules
incidents, breaches and complaints
• Enforce compliance
Q&A
Helpful References
 Background Checks in Canada
• Federal and Quebec employees – prior consent required
• Alberta and BC employees - advanced notice required
• Risk - possible claim of “intrusion upon seclusion”
• Rule of thumb:
i. Ensure proper background checks are completed even when 3 rd party is
engaged (The Treaty Group Inc. v. Drake International Inc. (2007) 86 O.R.
(3d) 366)
ii. Limit checks to assessing the employee’s suitability for continued or
prospective employment
iii. Failure to consent to background check may give cause for termination of
employment (Covenoho v. Pendylum Inc., [2016], O.J. No. 4498)
Employee Monitoring Cross-Border Chart

Access this chart at

[Link]
County specific in-depth guidance

Access this information at

[Link]
 Employee Monitoring Principles

• Necessity • Proportionality
• Finality • Accuracy
• Transparency • Retention
• Legitimacy • Security
 Employee Monitoring Tests
Federal Privacy Alberta Privacy BC Privacy Commissioner Quebec Privacy Unionized Employees
Commissioner Commissioner Commissioner
Is the measure Does a legitimate issue exist Can the employer Is surveillance necessary in Is the surveillance
demonstrably necessary to be addressed through the demonstrate that it is order to manage the reasonable in light of the
to meet a specific collection of personal reasonable to believe that a workplace? circumstances?
need? information? breach of an employment
agreement has taken place?
Is the measure likely to Is the collection of personal Has the employer given Is the surveillance carried Is the surveillance
be effective in meeting information likely to be proper notice to employees out in an arbitrary manner? conducted in a reasonable
the need? effective in addressing the of its monitoring practices? manner?
legitimate issue?
Is the loss of privacy Is the collection of personal Is the collection of personal Is the surveillance based Are there any alternatives
proportional to the information carried out in a information reasonable for on other evidence that to the surveillance?
benefit gained? reasonable manner? the purposes of already exists against the
establishing, managing or worker?
terminating an employment
relationship?
Is there a less privacy- Is the surveillance
invasive way of conducted in the least
achieving the same intrusive manner possible?
end?
 Effective Employee Privacy Program
• Define geographical and corporate governance structure (centralized or
• Conduct periodic audits of data access, consent and retention distributed)
practices and compliance • Understand organization’s composition (union, contractors, employees)
• Address data protection concerns identified during audits • Identify and review applicable laws
• Conduct periodic mock breach exercises; implement “post • Locate and review current policies, procedures and practices
mortem” policy revisions
• Locate and review current privacy-related communications to employees
• Review and improve contracts, policies, practices and
• Identify employee data collected, its location, reasons for data processing and
guidelines, to reflect the evolving legal requirements and
extent of data transfers between various company locations
case law
• Identify 3rd party vendors having access to employee data
• Document changes to policies and procedures
• Locate and review Offer Letter, Employment and Independent Contractor
• Report to stakeholders
Agreement templates
• Review current service agreements for the vendors having access to employee
Evolve data, incl. recruiters
• Identify technologies used to screen and monitor employees
• Identify gaps in privacy compliance

CPO Assess

• Limit the scope of personal data collection and processing

Implement • Define an employee privacy roadmap
• Train and retrain new and current employees • Assign responsibilities for data privacy throughout the organization
• Track data and access to it, and data processing reasons
Track employee consent, training completion, policy
Build • Develop training materials
receipt acknowledgement, compliance • Draft Data Processing Agreement/contract clauses
• Update internal templates and vendor agreements as necessary
• Implement and watch adherence to data retention rules
• Respond to employee and third-party privacy-related • Advise HR of limits on background checks and employee monitoring
inquiries within reasonable time • Communicate and post privacy related notices, policies and guidelines for easy
• Audit privacy practices of potential vendors access by employees
• Define and communicate data security-related policies and guidelines, including
• Log, review, address and report when necessary privacy
those re breach notification, and third-party vendor assessment rules
incidents, breaches and complaints
• Enforce compliance