The company also said that names, addresses, emails, birthdates, phone numbers and other information from 24.6 million PSN accounts may have been stolen from its servers as well as from an “outdated database”.

The incidents are under investigations and lawsuits have been filed against Sony. Closer to home, a proposed class-action lawsuit has been filed in Ontario on behalf of about one million Canadian PSN and Qriocity (another Sony online media network) users for breach of privacy. The lawsuit claims damages in excess of $1 billion, which includes having Sony pay the costs of credit monitoring services and fraud insurance coverage for two years.

The statement of claim alleges:

Sony “failed to adequately safeguard certain personal information, financial data and usage data”.

“The defendants delayed notifying the proper law enforcement agencies and delayed in notifying and/or warning the plaintiff and other class members of the potential theft of their personal information and/or financial data”.

The representative plaintiff in the action stated in a press release, “If you can’t trust a huge multinational corporation like Sony to protect your private information, who can you trust?”

Clearly, keeping private information private has become increasingly difficult.

In the wake of such data breaches, the federal, Alberta and British Columbia Privacy Commissioners launched, on May 3, 2011, a new online self-assessment questionnaire to help organizations better protect customers’ and employees’ personal information.

Securing Personal Information: A Self-Assessment Tool for Organizations is a detailed questionnaire and analysis tool that will help businesses assess how well they are complying with private-sector privacy laws. Under all of these laws, organizations that collect or hold personal information must take steps to protect the information from unauthorized access, collection, use, disclosure, copying, modification, disposal and destruction.

The tool can be used by any private-sector organization, particularly small and medium-sized businesses.

“Cleaning up after a data breach can be very costly for business,” warns BC Privacy Commissioner Elizabeth Denham. “In addition to the time and energy that needs to be diverted in order to mitigate the damage, a breach can also harm an organization’s reputation, and that can be much costlier than investing in better information-security practices in the first place.”

Moreover, businesses should take the time to find out if there are any gaps in their information-security processes and implement corrective measures to prevent or reduce the risk of costly data breaches.

Once you’ve assessed your workplace, take a look at First Reference’s Protecting employee and customer privacy, a how-to guide for private-sector organizations on compliance with privacy laws and protecting personal information. The guide will help you understand the “why”, “what” and “how” of privacy legislation and what you need to implement. For more information on how to purchase the guide, click here.

Yosie Saint-Cyr
First Reference Human Resources and Compliance Managing Editor

© 2011 First Reference Inc. All Rights Reserved. | Permalink | Make a comment |

Introduce new requirements for organizations to report material breaches of information security safeguards (data breaches) to the Privacy Commissioner of Canada and notify affected individuals and certain organizations when the breaches are deemed to pose a real risk of significant harm.

The Act would also allow organizations to share information in order to prevent fraud and aid in investigations of contraventions.

The proposed amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) have yet to pass second reading, and it’s hard to say when Bill C-29 might become law, if at all. There are good reasons organizations should take notice though, like the potential for the government to keep a closer eye on whether you’re keeping up with your obligation to destroy documents.

According to Workplace magazine and Shred-it, “As data leaks and security breaches hit the headlines, it’s inevitable that more stringent legislation will follow”.

If Bill C-29 does become law, its enhanced transparency requirements “will force organizations to improve the way they handle and store data, ensuring systematic procedures are in place for destroying confidential information”.

No one should be surprised that the people at Shred-it are interested in organizations destroying their documents that they no longer need. That’s their business. Nevertheless, those obligations are real, and the article offers the following tips to help prevent security breaches.

1.     Identify security gaps

Conduct a security audit of your business’ security practices while keeping these questions in mind:

• Are there current procedures in place to properly secure or destroy sensitive data?  If so, what are they?
• If security gaps are present, where do they lie?

2.     List security gaps

List all potential risks specific to your organization. Some questions you should consider include:

• Are sensitive HR documents, such as employee records, only accessed by authorized personnel?
• Are there discrepancies between the security procedures involving print versus electronic documents?
• Are employees currently trained to dispose of paper waste using appropriate receptacles?

When compiling the list, remember to include both paper-based and electronic information sources. Also be sure to consider every stage of the information cycle, from data generation to document destruction.

3.     Working from home

When employees must work from home, they must limit the printing of hardcopies and transferring sensitive information onto personal devices such as laptops or USB keys. Employees should also refrain from throwing information out in garbage cans, recycling bins and dumpsters.

4.     Address security gaps

Create and develop a rigid security policy for your organization. Always remember to place sensitive information in secure areas and under password protection with limited access by employees. Delete or destroy all other data that are no longer required, and be sure to keep hard copies of confidential data under lock-and-key. Follow the document life cycle and implement company-wide policies that ensure all employees regularly destroy confidential documents using professional third party services.

I couldn’t say it better myself.

It’s also a good idea to make sure you recycle any appropriate documents. It should take little to no effort, and your customers and employees will approve.

To see the text of Bill C-29, the Safeguarding Canadians’ Personal Information Act, or follow its status, visit LEGISinfo.

First Reference publishes Finance and Accounting PolicyPro to help small and medium-sized businesses manage their obligations and comply with the law with respect to document security in general and document destruction specifically.

Adam Gorley
First Reference Human Resources and Compliance Editor

© 2011 First Reference Inc. All Rights Reserved. | Permalink | Make a comment |

Image taken from: http://leftcoastcowboys.com

A weekend Toronto Star article reported that employees at the Canada Revenue Agency are improperly reviewing the private financial affairs of taxpayers. Some are using agency computers to give favoured treatment to colleagues, friends, family—and themselves.

CRA records for 2008–09 show 29 cases in which workers were caught accessing taxpayer records without authorization; that’s about average for the last five years. And there were a dozen instances in which tax records were improperly disclosed to third parties.

For example:

“In one egregious breach last October, a woman accessed 37,500 emails and 776 documents containing confidential financial information about ordinary Canadians. She downloaded the files onto 17 compact discs for her personal use, inexplicably helped by agency technicians.”

Also:

“13 other employees of the same office made unauthorized accesses to taxpayer information. Of the 13 employees, 10 provided preferential treatment to taxpayers, five accessed their own tax information, four received preferential treatment…

“Another worker peeked at secret agency information about two companies she operated on the side—while those firms were undergoing tax audits.

“In addition, the employee made extensive unauthorized accesses to the taxpayer information of friends and family members and hundreds of other individuals.”

These examples are clear breaches of privacy legislation, violations of ethical codes of conduct, and potential public relations nightmares, demonstrating that the possibilities for infringing on privacy might be greater than ever before.

The proper treatment of personal information is crucial: it helps to maintain a business’s image; gains and retains the trust of employees and customers; assures that there is accurate information for business purposes; and ultimately gives the business a competitive advantage in the marketplace.

So how do you protect customers’ personal information?
When organizations collect personal information from customers, they must ensure that the customers understand the purpose for collecting the information and obtain consent in advance. A privacy policy is the usual way to inform your customers. The policy will outline why and how you collect information and how you will use it, and this will help put your customers at ease.

Organizations must educate their employees about their privacy practices and policies and ensure the employees understand their role in implementing them and communicating them to customers. This includes ensuring that employees are aware of the circumstances under which they may or may not collect, use, disclose or access customer information, and the reasons for collecting such information.

It’s a good idea to establish an in-house training program for employees. Train them on their legal obligations under applicable privacy legislation, the common law right to privacy and your privacy policy.

Other privacy requirements to consider
Your policy must indicate how you will adequately protect and safeguard customers’ personal information. This includes limiting access to personal information to a need-to-know basis. Prepare a list of employees who really need to use private customer information to do their job. If they do not need it, make sure they do not see it.

Identify and assess the risks to customer information in each relevant area of the company’s operations, and evaluate the effectiveness of the current safeguards for controlling these risks. Also, implement a safeguard program, and regularly monitor and test it. This program should include a system that will record whoever accesses the stored personal information, when and for what purpose.

Use locked cabinets and restrict access to offices where personal information is stored. Protect digital information with passwords, encryption and firewalls. Retailers and other points of sales should have cash registers that truncate (X out) payment card numbers on customer receipts.

In addition, organizations must make sure they do not collect information for one purpose and use it for another without informing their customer or obtaining prior permission to do so. Only collect personal information that your business actually needs. For example, businesses need to collect certain personal information to manage a commercial relationship and provide ongoing service, to bill and collect for products and services, to market to individuals, and to meet legal and regulatory requirements.

Businesses may not pass their customer lists on to third parties without consent. However, if you do for viable purposes, your policy must indicate how you intend to disclose customer information to the third party. You do not need to name them, but you need to give the customer a general idea of the types of companies in question. You must also provide the opportunity for consent. Also, inform your customer if their personal information that is under your control will be disclosed or stored outside of Canada.

Indicate how long customer information will be retained to fulfill your business purposes and how that information will be disposed of when the retention period has elapsed. You must not keep the contents longer than necessary.

Your policy should be clear, concise and written in plain language so that your customers and employees can easily understand how you manage their information. That policy and all related documents should also meet accessibility standards found under the Accessibility for Ontarians with Disabilities Act (AODA).

Review and update the customer privacy policy yearly and ensure you have the latest technology for protecting and safeguarding such information.

Make yourself available for questions. Indicate who in your organization handles privacy information either through email or a toll-free number. Ensure your customers know they can contact the Office of the Information and Privacy Commissioner if they are unsatisfied with your response to their privacy concern.

Establishing a privacy program is not an easy task. It requires thorough investigation and analysis of what personal information currently exists under the control of the organization. Companies should implement safeguards appropriate to their own circumstances. Regularly remind all employees of your company’s privacy policy—and the legal requirement—to keep customer information secure and confidential. For example, consider posting reminders for employees about their responsibility for security in areas where customer information is stored, like file rooms or electronic files.

Unfortunately, in the case of the CRA, Canadians can’t take their business elsewhere. But with private organizations, they can. That’s the main reason training employees to take basic steps to maintain the security, confidentiality and integrity of customer information makes good business sense. If you treat your customers’ information in a cavalier way, you shouldn’t be surprised if the authorities come knocking, and your customers run away to more secure businesses.

Yosie Saint-Cyr
First Reference Human Resources and Compliance Managing Editor

© 2010 First Reference Inc. All Rights Reserved. | Permalink | Make a comment |

Image taken from: www.cba.org

On May 29, the federal government introduced Bill C-29, the Safeguarding Canadians’ Personal Information Act, which makes substantial changes to the Personal Information Protection and Electronic Documents Act (PIPEDA). The Bill had been in development for several years, and one of its primary objectives was to address a significant gap in PIPEDA, the issue of mandatory disclosure of “material” breaches of personal information by the companies or organizations responsible.

Although Bill C-29 does address this issue, it’s the way that disclosures are classified as material, and the lack of penalties for non-disclosure that have critics unhappy, like Michael Geist and Janet Lo, counsel with the Public Interest Advocacy Centre. Under the new legislation, the organizations responsible for the breaches get to decide if they are material and must be reported to the Privacy Commissioner (based on a number of criteria, such as the sensitivity of the information, the number of customers affected and an assessment by the company that concludes the cause of the breach indicates a systemic problem).

Companies also have the discretion to decide if they must inform the individuals whose personal information has been breached, based on whether the breach poses a real risk of significant harm (e.g., identity theft, fraud or damage to reputation). And there are no monetary penalties for sweeping significant data breaches under the rug. This is in contrast to laws in several United States jurisdictions that define the responsibility to report breaches with more precision, and either impose hefty fines for breaches or grant the right of those affected to sue the company responsible.

Confidentiality and Privacy policies are featured in all of First Reference’s Internal Control Library publications. See policy IT 8.04 in Information Technology PolicyPro, policy NP 1.08 in Not-for-Profit PolicyPro, and policy GV 1.11 in Finance and Accounting PolicyPro.

Colin Braithwaite
First Reference Internal Controls Managing Editor

© 2010 First Reference Inc. All Rights Reserved. | Permalink | Make a comment |

Image taken from: http://www.hoax-slayer.com

I’ve discussed the Privacy by Design (PbD) principle before, in the Inside Internal Control newsletter. In case you don’t know, PbD is an approach developed by Dr. Ann Cavoukian, the Privacy Commissioner of Ontario, which proactively embeds privacy protection by default in the design of an organization’s practices and products.

Now the commissioner has released a paper that discusses the integration of PbD principles into a Privacy Risk Management framework, built on the model of ISO 31000. The paper is aimed at organizations that already have privacy and risk management capabilities in place. As Dr. Cavoukian writes, “By embedding privacy into their existing risk management framework, they will be able to manage risks associated with the protection of personal information, in much the same fashion as any other business risk.”

You can find other useful papers on the Privacy by Design website.

And you can find confidentiality and privacy policies in all of First Reference’s Internal Control Library publications: Information Technology PolicyPro, Not-for-Profit PolicyPro and Finance and Accounting PolicyPro.

Colin Braithwaite
First Reference Internal Controls Managing Editor

© 2010 First Reference Inc. All Rights Reserved. | Permalink | Make a comment |

Image taken from: http://rogerevansonline.com

I guess you’ve heard about some of the privacy breaches of the past few years. You know, the one where a major Canadian bank faxed personal information on thousands of customers to two random businesses in West Virginia and Quebec, or where the public officials left work laptops or memory keys unattended with unencrypted private data on citizens and they were stolen, and on and on. What’s happening? Why are these accidents popping up so frequently now?

I think it’s fair to say there are numerous reasons. For example, technology has reached a point where it’s possible to carry vast amounts of information in very small containers, work practices have practically required that people transport the data away from the security of the office, and workplace policies and procedures simply have not kept up. In addition, laptops and other digital storage devices are easy targets for theft, whether the intention is to sell the item for a quick buck or to exploit sensitive data to commit much broader crimes, like identity fraud. Then there are media access, increased transparency, and legal implications: the media jump on any story about

And all of this is happening during a time of significant transformation in the awareness and nature of privacy in society: we share more and more of ourselves on blogs, Facebook, Twitter, and often don’t think of the consequences—where the information will end up, who will see it, how long it will remain out there. Legislators are trying to keep up, but it’s a slow process, and in this transitional time privacy practices involve a lot of attention and effort.

Think about this recent privacy breach: the Ottawa Citizen reports that old prescription records intended for a dump ended up strewn all over a street in Gatineau, north of Ottawa. A pharmacist found garbage bags full of papers in the basement of the pharmacy building he was moving into and asked a friend to dispose of them, without realizing that the bags contained sensitive information—namely, prescription records from several pharmacists that had occupied the building previously. The bags fell from a truck on the way to the dump, tore open and ended up all over the road. The pharmacist contacted the authorities as soon as he found out, and retrieved the records for shredding.

The case is currently under investigation by Ontario’s Information and Privacy Commissioner, so we’ll have to wait and see what the outcome is. Will the pharmacist face a penalty or fine? Will the previous pharmacists, who exposed personal client information to future tenants? Should they? It’s hard to even take a lesson from this case before we hear the commissioner’s decision. Are organizations responsible for garbage left behind by previous tenants?

Regardless of the outcome of this case, Canadian organizations face important obligations when it comes to protecting individuals’ privacy, both proactive and reactive. Employers must be cautious in collecting, storing, using and disclosing personal information. This obligation commonly involves health information, but it could be anything deemed personal, and now in Ontario it explicitly refers to histories of violence. On the other hand, employers and employee must be cautious about information they uncover on the internet, whether intentional or not.

It’s confusing, no doubt! What does your organization do to meet its privacy compliance obligations? Have you encountered a situation where you didn’t know how to handle a piece of personal information?

Check out these other First Reference posts on privacy.

For more on privacy law and employers’ obligations, search for “privacy” on HRinfodesk.

Adam Gorley
First Reference, Human Resources and Compliance Editor

© 2010 First Reference Inc. All Rights Reserved. | Permalink | Make a comment |

Image taken from: http://www.glassdoor.com/

Here’s a case I hope you find interesting. It sure seems curious to me.

In 2006, Mark’s Work Wearhouse in Alberta started running background credit checks on employees looking for work at the clothing store. Not criminal record checks; not general reference checks; credit checks.

Last Friday, Christina discussed the difficulties that employers go through when they approach reference employers to do background checks on prospective employees. Employers might very well want to know about those difficulties, because it’s reasonable for them to look for information that is relevant to a potential employee’s performance in a particular job.

It’s more difficult to justify collecting credit information on candidates or employees, at least when the job in question is middle-of-the-road retail. Mark’s seems to have missed this little fact until it faced a complaint to Alberta’s Privacy Commissioner. Performing background checks on prospective employees’ credit runs counter to the province’s Personal Information Protection Act, which applies to private sector businesses in the province.

Of course, the retailer defended its practice, saying:

Credit history information can provide insight into an applicant’s tendency to meet financial obligations as well as his or her current financial pressures. The way in which individuals handle their own funds can often be a reflection of how they will handle the financial responsibilities and tasks associated with their employment duties.

[Sales Associates] at Mark’s are often in a position to handle cash while completing merchandise transactions and … may also have access to the store safe, security codes, petty cash and the store itself during off hours.

In other words, the company wanted to avoid hiring Sales Associates it thought would be more likely to steal. While this case isn’t a human rights decision, I think Mark’s should have seen a problem right there. Maybe they should have asked why similar companies aren’t doing this sort of loss-prevention.

The Privacy Commissioner disagreed with the company’s defence, finding no reasonable connection between an individual’s personal credit information and her or his ability to perform the duties of a Sales Associate. Mark’s simply failed to provide a reasonable connection between its collection of the credit information and its purposes for collecting the information.

Thus, the commissioner recommended that Mark’s Work Wearhouse stop conducting the pre-employment credit checks, which it did.

Organizations must remember that they may only collect personal information for reasonable purposes. What I found curious is that Mark’s—or their lawyers—didn’t recognize that the company’s credit-check practice was questionable at best. Maybe it’s not so obvious, but it seems pretty clear to me that credit information cannot form the basis of a hiring decision (except in very specific circumstances).

What do you think—should employers be allowed to conduct background checks on prospective employees’ credit? Does a person’s credit record say anything about her or his ability to perform a job securely? Or is the idea simply discrimination under a different guise?

Also, if you don’t want to get caught in a similar scenario, here are some other—legal—things you can do about employee theft.

Adam Gorley
First Reference Human Resources and Compliance Assistant Editor

© 2010 First Reference Inc. All Rights Reserved. | Permalink | 4 comments |

Harassment happens before violence! You would think that this is simply logical thinking, but Andrew reported that most violent incidents happen because employers do not take complaints of harassment seriously. Employers often neglect to stop the harassing behaviour or prevent it from escalating to a dangerous or harmful situation.

Harassment covers a wide range of offensive behaviour. It is commonly understood as behaviour intended to disturb or upset. In the legal sense, it is behaviour which a person finds threatening or disturbing. This can be interpreted quite broadly.

To illustrate, gossiping may seem harmless at the beginning, but it can be destructive and can breed abuse as well as isolation and depression. In this way, it can become a harassing behaviour covered under Occupational Health and Safety violence and harassment prevention obligations.

However, you mustn’t label people too quickly. Employers have to take a report or complaint seriously and be willing to find out what is really happening; that is, they must uncover the intent behind the alleged harasser’s behaviour and the negative affect it has on the target of the behaviour or the workplace as a whole. Employers must investigate and identify the risk of harm from the behaviour by taking prompt, thorough and impartial action. Make sure you have a harasser or bully.

Employees also have a role to play. The employee who feels harassed or the employee witnessing the harassment has to practice respectful confrontation; they must be prepared to challenge inappropriate behaviour and take action to stop it. But proceed with caution; two wrongs don’t make a right. Employees mustn’t harass or bully back, or react violently in response.

Do tell the person with the harassing behaviour that the behaviour is unwelcome, inappropriate and must stop.

Mandatory reporting, investigation and training (communication skills among other things) are essential to identify and deal with harassing behaviours in the workplace.

Employers should always make and keep a record of complaints and investigations (whether the complaint is ruled valid or not). Information that must be recorded includes the names of the people involved, dates, the nature and frequency of incidents, actions taken, follow-up and monitoring information. All sensitive information should be treated confidentially and meet the requirements under privacy legislation and common law privacy rights.

Proven allegations of harassment should be treated as disciplinary offences. Take the necessary measures to control the situation, stop the harassment and prevent the risk of, or continued harm to, employees. Offer assistance and support and protect the victim.

Employers’ ultimate aim is to develop a culture in which everyone understand harassment is unacceptable and where individuals are confident enough to bring complaints without fear of ridicule or reprisal. Everybody needs to feel responsible for challenging all forms of harassment and for upholding personal dignity. Send a message from the top and empower HR so that they can act!

That is my two cents worth. Thanks Andrew for a great session. Comments are welcome!

Yosie Saint-Cyr
First Reference Human Resources and Compliance Managing Editor

© 2010 First Reference Inc. All Rights Reserved. | Permalink | 4 comments |

(a) A worker can be expected to encounter that person in the course of his or her work; and
(b) The risk of workplace violence is likely to expose the worker to physical injury.

This would require employers to establish some sort of notification procedure for persons with a history of violence (employees, patients, clients or visitors to the workplace) so that workers who might encounter the person are aware of the risk of potential physical injury in their workplace environments.

I don’t know about you, but this sounds to me like profiling. According to WordReference.com, profiling means: recording a person’s behaviour and analyzing psychological characteristics in order to predict or assess their ability in a certain sphere or to identify a particular group of people.

What did I tell you!

Yet the legislation limits the disclosure only to information that is reasonably necessary to protect workers from physical injury.

What a relief! Our profiling obligations have limits; however, there are no specific provisions in the law regarding the type and amount of personal information that must be provided.

What about the employee’s right to privacy, you ask? Somebody reminded me in a conversation that victims and perpetrators of violence own the information that is or will be potentially shared and disclosed with, or by employers. Applicable federal or provincial private sector privacy legislation and common law rights exist to protect the personal information of all individuals.

Thus, privacy legislation and the right to privacy under common law apply in such situations. To comply with privacy legislation and rights, an employer should inform a person of the purposes for which it will collect, use and disclose information, as well as obtain consent. An employer can only disclose information if it is related to the primary purpose for collection. Moreover, in some cases, the law requires employers to disclose information (for purposes related to the primary purpose) without the consent of the person who provided it, where an individual would reasonably expect the disclosure.

Applying this principle in the context of violence prevention under Occupational Health and Safety law means: only sharing information about a person’s history of violence when the disclosure is for the primary purpose for which the employer has a right to collect, regardless of whether the employer has explicit consent from the person with the history of violence. This means that if an employer allows a person with a history of violence to access its premises, and collects information on that person’s history of violence for the purposes of support, protection, prevention of violence and/or accountability for violence in their workplace, the employer can disclose the information for these purposes if an employee can be expected to encounter that person in the course of his or her work, and if the risk of workplace violence is likely to expose the worker to physical injury.

Moreover, if the employer expects an employee, patient or client to encounter a person with a history of violence in the course of his or her work and on the employer’s premises, OHS law obliges the employer to disclose that history (personal information). The disclosure is necessary to ensure the safety and protection from potential incidents of violence that may cause physical injury to employees’, patients and clients.

Employees, patients and clients who share their history of violence with the employer should be made aware of OHS disclosure rules, and be assured by the employer that their personal information will be protected by specific safeguards, including measures such as locked cabinets, computer passwords or encryption.

It does not end there. The disclosure requirement also has human rights implications for employers. The Ontario Human Rights Code prohibits discrimination on the basis of a record of offences. An organization cannot refuse to hire, continue to employ or treat differently with respect to employment policies and practices people who have criminal records for which they have received a pardon.

This implies that if an employer discloses (under the proper circumstances related above) an employee’s criminal conviction relating to physical violence for which a pardon has been granted, the employer could face a human rights complaint on the basis of the protected ground of record of offences. The disclosure could create a stigma on the person’s character. This means that employers have a responsibility to ensure that they are not taking part in, condoning or allowing discrimination or harassment to occur based on this prohibited ground.

It makes me wonder if the Ontario government fully understood how problematic the application of the disclosure requirement could be for an employer! What do you think?

Yosie Saint-Cyr
First Reference Human Resources and Compliance Managing Editor

© 2010 First Reference Inc. All Rights Reserved. | Permalink | Make a comment |