A weekend Toronto Star article reported that employees at the Canada Revenue Agency are improperly reviewing the private financial affairs of taxpayers. Some are using agency computers to give favoured treatment to colleagues, friends, family—and themselves.
CRA records for 2008–09 show 29 cases in which workers were caught accessing taxpayer records without authorization; that’s about average for the last five years. And there were a dozen instances in which tax records were improperly disclosed to third parties.
“In one egregious breach last October, a woman accessed 37,500 emails and 776 documents containing confidential financial information about ordinary Canadians. She downloaded the files onto 17 compact discs for her personal use, inexplicably helped by agency technicians.”
“13 other employees of the same office made unauthorized accesses to taxpayer information. Of the 13 employees, 10 provided preferential treatment to taxpayers, five accessed their own tax information, four received preferential treatment…
“Another worker peeked at secret agency information about two companies she operated on the side—while those firms were undergoing tax audits.
“In addition, the employee made extensive unauthorized accesses to the taxpayer information of friends and family members and hundreds of other individuals.”
These examples are clear breaches of privacy legislation, violations of ethical codes of conduct, and potential public relations nightmares, demonstrating that the possibilities for infringing on privacy might be greater than ever before.
The proper treatment of personal information is crucial: it helps to maintain a business’s image; gains and retains the trust of employees and customers; assures that there is accurate information for business purposes; and ultimately gives the business a competitive advantage in the marketplace.
So how do you protect customers’ personal information?
Organizations must educate their employees about their privacy practices and policies and ensure the employees understand their role in implementing them and communicating them to customers. This includes ensuring that employees are aware of the circumstances under which they may or may not collect, use, disclose or access customer information, and the reasons for collecting such information.
Other privacy requirements to consider
Your policy must indicate how you will adequately protect and safeguard customers’ personal information. This includes limiting access to personal information to a need-to-know basis. Prepare a list of employees who really need to use private customer information to do their job. If they do not need it, make sure they do not see it.
Identify and assess the risks to customer information in each relevant area of the company’s operations, and evaluate the effectiveness of the current safeguards for controlling these risks. Also, implement a safeguard program, and regularly monitor and test it. This program should include a system that will record whoever accesses the stored personal information, when and for what purpose.
Use locked cabinets and restrict access to offices where personal information is stored. Protect digital information with passwords, encryption and firewalls. Retailers and other points of sales should have cash registers that truncate (X out) payment card numbers on customer receipts.
In addition, organizations must make sure they do not collect information for one purpose and use it for another without informing their customer or obtaining prior permission to do so. Only collect personal information that your business actually needs. For example, businesses need to collect certain personal information to manage a commercial relationship and provide ongoing service, to bill and collect for products and services, to market to individuals, and to meet legal and regulatory requirements.
Businesses may not pass their customer lists on to third parties without consent. However, if you do for viable purposes, your policy must indicate how you intend to disclose customer information to the third party. You do not need to name them, but you need to give the customer a general idea of the types of companies in question. You must also provide the opportunity for consent. Also, inform your customer if their personal information that is under your control will be disclosed or stored outside of Canada.
Indicate how long customer information will be retained to fulfill your business purposes and how that information will be disposed of when the retention period has elapsed. You must not keep the contents longer than necessary.
Your policy should be clear, concise and written in plain language so that your customers and employees can easily understand how you manage their information. That policy and all related documents should also meet accessibility standards found under the Accessibility for Ontarians with Disabilities Act (AODA).
Make yourself available for questions. Indicate who in your organization handles privacy information either through email or a toll-free number. Ensure your customers know they can contact the Office of the Information and Privacy Commissioner if they are unsatisfied with your response to their privacy concern.
Unfortunately, in the case of the CRA, Canadians can’t take their business elsewhere. But with private organizations, they can. That’s the main reason training employees to take basic steps to maintain the security, confidentiality and integrity of customer information makes good business sense. If you treat your customers’ information in a cavalier way, you shouldn’t be surprised if the authorities come knocking, and your customers run away to more secure businesses.
First Reference Human Resources and Compliance Managing Editor