Canadian HR Reporter is the national journal of human resource management. It features the latest workplace news, HR best practices, employment law commentary and tools and tips for employers to get the most out of their workforce.
Issue link: https://digital.hrreporter.com/i/1043525
CANADIAN HR REPORTER NOVEMBER 2018 8 NEWS ipm The Professional Recruiter Full Accreditation Program on Mixed Media USB Flash Drive Institute of Professional Management 2210-1081 Ambleside Drive, Ottawa, ON, K2B 8C8 Tel: (613) 721-5957 Toll Free: 1-888-441-0000 This new mixed media package includes a text-based USB Flash Drive with participant workbook and exam. Works on Mac and PC. valid until December 7, 2018 Details at : www.workplace.ca/HR-Reporter.html $745 regular $945 ... save $200 This program covers a set of key recruitment and selection skills. The goal is to help you reduce recruitment costs, lower the risk of bad hiring decisions and avoid needless litigation. Successful completion of all 3 Modules makes you eligible for membership in the Association of Professional Recruiters of Canada, APRC, with the RPR (Registered Professional Recruiter) designation. Compensation Surveys Incentive Programs Job Descriptions Job Evaluation Pay Equity Performance Appraisal Salary Administration Sales Compensation (416) 498-7800 ext. 101 info@resourcecorporation.com www.resourcecorporation.com COMPENSATION CONSULTING systems," said Wagner. "ose do happen, but the re- ality is most data breaches are caused by leaving laptops in ve- hicles and having them stolen, or loss of data keys, or less so- phisticated electronic attacks like phishing." "I've heard statistics that say an excess of 80 per cent of all data breaches are actually caused by employee inadvertence or acci- dental loss of info." Some people think it's OK to share passwords with a colleague, but there have been reported cases in Alberta where breaches have occurred, said Lyndsay Was- ser, a partner in employment and labour relations, and co-chair of privacy and data protection at McMillan in Toronto. Still, other breaches are more intentional. "Employee snooping can be a real problem in some organiza- tions," she said. "Employees might disclose personal information about others to colleagues who don't have any need to (see) that information for their employment duties." Occasionally, external parties go to great lengths to access data, said David Fraser, privacy and technology lawyer at McInnes Cooper in Halifax. "Every organization has vul- nerabilities," he said. "Someone wanting to gain access to data might dress up like a technician and walk out with a laptop under his arm… Or someone will claim to be calling from the help (desk) and ask you to help them remotely access your computer so they can resolve a problem." Considering risks If an organization's breach assess- ment indicates there is a "real risk of significant harm," it must be re- ported to Canada's privacy com- missioner, whether it impacts one person or 1,000 people, according to the updated regulations. e employer is also required to notify affected individuals. ere's some subjectivity when considering the risk of significant harm, in any given breach. But Canada's privacy commissioner has offered examples that would qualify including health informa- tion, financial information and sensitive identifiers such as social insurance or passport numbers. "Generally, there's just an as- sessment based on the level of risk associated with the loss of that info," said Wagner. "For example, a breach of health information can affect employ- ment, reputation, finance. And loss of financial information can lead to fraud and impact credit ratings." Employers will have to have a system in place to determine if the thresholds have been met for reporting, said Fraser. "Somebody is going to deter- mine whether the breach creates real risk of significant harm, and they're going to need to be con- sistent about that, following the guidelines." Even if the data breach inci- dent doesn't reach the level of risk where employers must report or notify individuals, there's still a record-keeping requirement of all incidents, said Wagner. And staff will need to be trained on how to prepare and secure those records. "It's important to make sure ac- cess to those records is properly restricted," said Wasser. "ey also shouldn't contain any confidential information, but should contain all the information the privacy commissioner will be looking for… Under the new legislation, the commissioner can demand access to those records." It's recommended employers seek legal advice in the event of a breach when they need to submit records, said Fraser. "ese records you keep for the privacy commission inspection are not privileged, so they need to be pretty carefully prepared so as not to include extraneous infor- mation that could come back to haunt you." Policy, training changes While it's important to develop policy and procedures around data security and data breaches, organizations should conduct a big-picture assessment first, said Wagner. "Even before the formulation of a policy, know where personal in- formation resides within the orga- nization, who has access to it, how sensitive that information is, how it's communicated to employees and how they are trained with respect to protection of that per- sonal information," she said. "You can't figure out where the gaps are until you know what you've got." Employers should also take a look at what physical, organi- zational and technological safe- guards are in place, and consider whether or not they are sufficient, said Wagner. "Obviously, the goal of most or- ganizations is to prevent breaches so they don't have anything to re- cord or report, so start with evalu- ating what's in place now." e second step is remediation, so fixing the gaps, and part of that is making sure the policies and procedures are in place, she said. "e policy would be similar to any other internal policies in terms of identifying who in the or- ganization is responsible for vari- ous different tasks in the event of a breach incident," she said. "It would also include an es- calation procedure and identify the different regulators or orga- nizations that would need to be notified in the event of a breach incident, as well as any other steps the organization would take." Employee training can prevent breaches, or help workers know how to handle them when they happen, said Wasser. "It's important that employees are trained and know how to man- age personal information and how to recognize threats like phishing emails," she said. "Generally, Ca- nadian privacy laws aren't that prescriptive in terms of what an organization needs to do to pro- tect personal information, but one of the things the privacy commis- sioners have consistently empha- sized is the importance of training — and ongoing training — within an organization. It should be a program of employee training, rather than just one course." "From an HR perspective, the most important thing to do right now is put a communication plan in place to make sure employees understand that these obligations are coming into force, and that privacy breaches can lead to repu- tational damage and class-action litigation," said Wasser. Culture shift For a lot of organizations, this is going to require a culture shift because privacy breaches, even small ones, often happen all over an organization, said Fraser. "Even if the breach seems triv- ial — someone on a plane sees an employee's laptop screen or an employee leaves a file with sensi- tive data on his desk overnight — every single one of those events is going to need to be documented." Encouraging employees to come forward and report breach- es as they happen will require a fine balance, he said. "Organizations will need to be able to take appropriate disciplin- ary measures when necessary, but also have a culture where em- ployees feel like the can report a breach, rather than cover it up," said Fraser. "Ideally, there is a culture that reduces the risk in the first place, lets employees know what their re- sponsibilities are for reporting, and empowers them to do that without fear of unreasonable reprisals." Melissa Campeau is a freelance writer based in Toronto. Training needed for record preparation, reporting PIPEDA < pg. 1 The personal information of almost 13,000 public servants was exposed in a breach at Public Services and Procurement Canada (PSPC) in 2016. Credit: Google Street View