The commissioner found it odd that organizations would not take the time to properly protect personal information. He stated, “Encryption technology is pretty much commonplace, and it’s irresponsible that an organization would allow this stuff out the door, without ensuring it’s protected.”

The commissioner also commented that these organizations were putting a lot of people on edge, given the potential for identity theft or personal embarrassment. On the same note, when a laptop containing personal information is stolen, the organization faces more work, cost and embarrassment because they have to notify individuals that they lost their personal information, and it might be used for illegal purposes.

I’m wondering: what kind of security measures do you have in place in your organization? What type of physical and technological protections do you have to prevent privacy breaches?

Christina Catenacci
First Reference Human Resources and Compliance Editor

© 2010 First Reference Inc. All Rights Reserved. | Permalink | Make a comment |

Image taken from: http://www.glassdoor.com/

Here’s a case I hope you find interesting. It sure seems curious to me.

In 2006, Mark’s Work Wearhouse in Alberta started running background credit checks on employees looking for work at the clothing store. Not criminal record checks; not general reference checks; credit checks.

Last Friday, Christina discussed the difficulties that employers go through when they approach reference employers to do background checks on prospective employees. Employers might very well want to know about those difficulties, because it’s reasonable for them to look for information that is relevant to a potential employee’s performance in a particular job.

It’s more difficult to justify collecting credit information on candidates or employees, at least when the job in question is middle-of-the-road retail. Mark’s seems to have missed this little fact until it faced a complaint to Alberta’s Privacy Commissioner. Performing background checks on prospective employees’ credit runs counter to the province’s Personal Information Protection Act, which applies to private sector businesses in the province.

Of course, the retailer defended its practice, saying:

Credit history information can provide insight into an applicant’s tendency to meet financial obligations as well as his or her current financial pressures. The way in which individuals handle their own funds can often be a reflection of how they will handle the financial responsibilities and tasks associated with their employment duties.

[Sales Associates] at Mark’s are often in a position to handle cash while completing merchandise transactions and … may also have access to the store safe, security codes, petty cash and the store itself during off hours.

In other words, the company wanted to avoid hiring Sales Associates it thought would be more likely to steal. While this case isn’t a human rights decision, I think Mark’s should have seen a problem right there. Maybe they should have asked why similar companies aren’t doing this sort of loss-prevention.

The Privacy Commissioner disagreed with the company’s defence, finding no reasonable connection between an individual’s personal credit information and her or his ability to perform the duties of a Sales Associate. Mark’s simply failed to provide a reasonable connection between its collection of the credit information and its purposes for collecting the information.

Thus, the commissioner recommended that Mark’s Work Wearhouse stop conducting the pre-employment credit checks, which it did.

Organizations must remember that they may only collect personal information for reasonable purposes. What I found curious is that Mark’s—or their lawyers—didn’t recognize that the company’s credit-check practice was questionable at best. Maybe it’s not so obvious, but it seems pretty clear to me that credit information cannot form the basis of a hiring decision (except in very specific circumstances).

What do you think—should employers be allowed to conduct background checks on prospective employees’ credit? Does a person’s credit record say anything about her or his ability to perform a job securely? Or is the idea simply discrimination under a different guise?

Also, if you don’t want to get caught in a similar scenario, here are some other—legal—things you can do about employee theft.

Adam Gorley
First Reference Human Resources and Compliance Assistant Editor

© 2010 First Reference Inc. All Rights Reserved. | Permalink | 4 comments |

(a) A worker can be expected to encounter that person in the course of his or her work; and
(b) The risk of workplace violence is likely to expose the worker to physical injury.

This would require employers to establish some sort of notification procedure for persons with a history of violence (employees, patients, clients or visitors to the workplace) so that workers who might encounter the person are aware of the risk of potential physical injury in their workplace environments.

I don’t know about you, but this sounds to me like profiling. According to WordReference.com, profiling means: recording a person’s behaviour and analyzing psychological characteristics in order to predict or assess their ability in a certain sphere or to identify a particular group of people.

What did I tell you!

Yet the legislation limits the disclosure only to information that is reasonably necessary to protect workers from physical injury.

What a relief! Our profiling obligations have limits; however, there are no specific provisions in the law regarding the type and amount of personal information that must be provided.

What about the employee’s right to privacy, you ask? Somebody reminded me in a conversation that victims and perpetrators of violence own the information that is or will be potentially shared and disclosed with, or by employers. Applicable federal or provincial private sector privacy legislation and common law rights exist to protect the personal information of all individuals.

Thus, privacy legislation and the right to privacy under common law apply in such situations. To comply with privacy legislation and rights, an employer should inform a person of the purposes for which it will collect, use and disclose information, as well as obtain consent. An employer can only disclose information if it is related to the primary purpose for collection. Moreover, in some cases, the law requires employers to disclose information (for purposes related to the primary purpose) without the consent of the person who provided it, where an individual would reasonably expect the disclosure.

Applying this principle in the context of violence prevention under Occupational Health and Safety law means: only sharing information about a person’s history of violence when the disclosure is for the primary purpose for which the employer has a right to collect, regardless of whether the employer has explicit consent from the person with the history of violence. This means that if an employer allows a person with a history of violence to access its premises, and collects information on that person’s history of violence for the purposes of support, protection, prevention of violence and/or accountability for violence in their workplace, the employer can disclose the information for these purposes if an employee can be expected to encounter that person in the course of his or her work, and if the risk of workplace violence is likely to expose the worker to physical injury.

Moreover, if the employer expects an employee, patient or client to encounter a person with a history of violence in the course of his or her work and on the employer’s premises, OHS law obliges the employer to disclose that history (personal information). The disclosure is necessary to ensure the safety and protection from potential incidents of violence that may cause physical injury to employees’, patients and clients.

Employees, patients and clients who share their history of violence with the employer should be made aware of OHS disclosure rules, and be assured by the employer that their personal information will be protected by specific safeguards, including measures such as locked cabinets, computer passwords or encryption.

It does not end there. The disclosure requirement also has human rights implications for employers. The Ontario Human Rights Code prohibits discrimination on the basis of a record of offences. An organization cannot refuse to hire, continue to employ or treat differently with respect to employment policies and practices people who have criminal records for which they have received a pardon.

This implies that if an employer discloses (under the proper circumstances related above) an employee’s criminal conviction relating to physical violence for which a pardon has been granted, the employer could face a human rights complaint on the basis of the protected ground of record of offences. The disclosure could create a stigma on the person’s character. This means that employers have a responsibility to ensure that they are not taking part in, condoning or allowing discrimination or harassment to occur based on this prohibited ground.

It makes me wonder if the Ontario government fully understood how problematic the application of the disclosure requirement could be for an employer! What do you think?

Yosie Saint-Cyr
First Reference Human Resources and Compliance Managing Editor

© 2010 First Reference Inc. All Rights Reserved. | Permalink | Make a comment |