Canadian HR Reporter

CANADIAN HR REPORTER CANADIAN HR REPORTER May 5, 2014 May 5, 2014 12 FEATURES FEATURES TRAINING AND DEVELOPMENT Training around privacy Knowing the who, what, when and why is a good place to start By Rick Shields A nyone who has paid even casual attention to the news during the past decade will be aware that sto- ries about privacy — especially those relating to privacy breach- es or other privacy-related transgressions — have become commonplace. A contributing factor in many of these incidents has been inad- equate staff training concerning privacy and data security. Employers keen to stay on top of the issue should consider an in-house privacy training pro- gram. And one of the fi rst steps to take down that road is answer- ing the question "Who should be trained?" en attention can turn to the type of training need- ed, how frequently it should be delivered and how the benefi ts can be assessed and eff ectively reinforced. Background ere are an increasing number of federal, provincial and territo- rial privacy laws in Canada that govern dealings with personal information or personal health information by private, public, health and non-governmental sector entities — though they vary depending on the sectoral and jurisdictional settings. Some Canadian privacy laws expressly require organizations to carry out privacy training, such as the federal Personal Information Protection and Electronic Docu- ments Act (PIPEDA), Ontario's Personal Health Information Pro- tection Act, 2004, and Alberta's Health Information Regulation. Training obligations may also arise by "necessary impli- cation" from the wording of a statute, such as the Information and Privacy Commissioner for Saskatchewan stating that a re- quirement to provide privacy training can be implied from a provision in that province's Health Information Protection Act. Under public sector privacy laws, meanwhile, training obli- gations are typically imposed via government policy (such as the federal government's Policy on Privacy Protection). Who needs training? As it is very diffi cult to predict the precise scope of personal infor- mation collection, use and disclo- sure by employees, privacy train- ing should be broadly targeted. Ontario's Information and Pri- vacy Commissioner advises that all employees — including the se- nior management team, depart- mental managers and front-line staff — should receive privacy training. e Offi ce of the Privacy Com- missioner of Canada, which is responsible for oversight of PIPEDA, has consistently rec- ommended that organizations subject to that act should provide privacy training for both front- line and management staff . And after a much-publicized privacy breach involving a federal government department's loss of a computer hard drive, the commis- sioner recommended a privacy training and awareness program be delivered to all departmental employees. Similar recommendations have been made by privacy regulators in other jurisdictions, including Alberta, Newfoundland and Lab- rador, British Columbia and New Brunswick. In speaking about Saskatchewan's Health Informa- tion Protection Act (HIPA), that province's information and privacy commissioner has noted: "As we work to build a strong culture of privacy and confi- dentiality in and among all Sas- katchewan trustees and trustee organizations, all staff of a trustee organization should receive HIPA training. e experience in other provinces with a health informa- tion law is that training should involve all employees, volunteers, contractors and students who work in or for a health trustee organization. e content and in- tensity of the training will refl ect the particular roles and needs of diff erent employee groups in an organization, but all of those em- ployees and others should have some basic understanding of pri- vacy, confi dentiality and HIPA." What's covered in the training? Given the particular nuances of each organization's activities and internal policies and procedures, and the host of potentially ap- plicable privacy laws, there isn't a single, standardized template for an employee privacy training curriculum. But there are a number of com- mon elements that should form part of each program, including: •Some privacy-related back- ground information that pro- vides context for the training. •A discussion of key terms. •A brief review of applicable pri- vacy laws. •An examination of key privacy concepts. •A description of the organization's ongo- ing dealings with, and holdings of, personal information or personal health information. •A review of the organization's policies and procedures that re- late to privacy and data security. •An introduction to the organi- zation's privacy offi cer or team and a description of her roles and responsibilities. •A reminder of each staff mem- ber's personal responsibilities relating to privacy/data security. Privac y training is not generally suited to a one-size- fits-all approach — employees responsible for front-line deal- ings with personal information, especially sensitive information, will require training that diff ers, in terms of the extent and specifi city of its content, from training pro- vided to employees who have less frequent contact with personal information. As an example, in 2013, the information and privacy com- missioner of Newfoundland and Labrador held that the employ- ees of a regional health authority who were given user privileges for an electronic medical records system "should be required to complete privacy training each year that includes completion of a comprehensive privacy tutorial with specifi c modules on privacy issues related to electronic infor- mation systems. Completion of this training should be tracked and linked to an annual renewal of user privileges." Privacy regulators have not shown any particular preference regarding the format of privacy training — organizations can choose between live and electronic (group or independent study) training in accordance with their own pref- erences and re- sources. Training frequency When it comes to privacy train- ing, the old concept of "once and done" no longer meets due dili- gence requirements in most set- tings. e frequency of training should vary in accordance with the extent and sensitivity of the target audience's dealings with personal information. Some privacy regulators feel employee groups that continually deal with certain types of sensi- tive personal information will require detailed privacy training on an annual basis as a condition of employment. Other categories of staff will need less training but, in all cases, training should be updated on a regularly scheduled basis. New hires should receive training appropriate to their re- spective roles before interacting with personal information under the control of the organization. Assessment, reinforcement e most eff ective means of as- sessing the merits of a training program is to subsequently test trainees' understanding or reten- tion of the information presented to them. Individual testing can take the form of a quiz adminis- tered in a live or electronic setting. Alternately, testing can be carried out in a group setting via role- playing or team-based exercises — which may also have team- building benefi ts. In either case, if the testing reveals an understand- ing or retention that is below an acceptable threshold level, those people should be designated for retraining. In cases where the personal information is of high sensitivity (such as health records), testing should be done on an individual basis and the employer could con- sider making a satisfactory test score a condition of service. Persistently high fail rates may be an indication the test (or scor- ing) is too difficult. Organiza- tions may wish to direct refresher materials to employees between training sessions to reinforce key training messages. Rick Shields is a partner specializing in privacy law at the legal fi rm nNova- tion in Ottawa. He can be reached at (613) 656-1293, rshields@nnovation. com or visit www.nnovation.com for more information. Credit: Lisa S./Shutterstock.com Privacy training is not suited to a one- size-fi ts-all approach — those responsible for front-line dealings with personal information will require different training.

• Cover