I guess you’ve heard about some of the privacy breaches of the past few years. You know, the one where a major Canadian bank faxed personal information on thousands of customers to two random businesses in West Virginia and Quebec, or where the public officials left work laptops or memory keys unattended with unencrypted private data on citizens and they were stolen, and on and on. What’s happening? Why are these accidents popping up so frequently now?
I think it’s fair to say there are numerous reasons. For example, technology has reached a point where it’s possible to carry vast amounts of information in very small containers, work practices have practically required that people transport the data away from the security of the office, and workplace policies and procedures simply have not kept up. In addition, laptops and other digital storage devices are easy targets for theft, whether the intention is to sell the item for a quick buck or to exploit sensitive data to commit much broader crimes, like identity fraud. Then there are media access, increased transparency, and legal implications: the media jump on any story about
And all of this is happening during a time of significant transformation in the awareness and nature of privacy in society: we share more and more of ourselves on blogs, Facebook, Twitter, and often don’t think of the consequences—where the information will end up, who will see it, how long it will remain out there. Legislators are trying to keep up, but it’s a slow process, and in this transitional time privacy practices involve a lot of attention and effort.
Think about this recent privacy breach: the Ottawa Citizen reports that old prescription records intended for a dump ended up strewn all over a street in Gatineau, north of Ottawa. A pharmacist found garbage bags full of papers in the basement of the pharmacy building he was moving into and asked a friend to dispose of them, without realizing that the bags contained sensitive information—namely, prescription records from several pharmacists that had occupied the building previously. The bags fell from a truck on the way to the dump, tore open and ended up all over the road. The pharmacist contacted the authorities as soon as he found out, and retrieved the records for shredding.
The case is currently under investigation by Ontario’s Information and Privacy Commissioner, so we’ll have to wait and see what the outcome is. Will the pharmacist face a penalty or fine? Will the previous pharmacists, who exposed personal client information to future tenants? Should they? It’s hard to even take a lesson from this case before we hear the commissioner’s decision. Are organizations responsible for garbage left behind by previous tenants?
Regardless of the outcome of this case, Canadian organizations face important obligations when it comes to protecting individuals’ privacy, both proactive and reactive. Employers must be cautious in collecting, storing, using and disclosing personal information. This obligation commonly involves health information, but it could be anything deemed personal, and now in Ontario it explicitly refers to histories of violence. On the other hand, employers and employee must be cautious about information they uncover on the internet, whether intentional or not.
It’s confusing, no doubt! What does your organization do to meet its privacy compliance obligations? Have you encountered a situation where you didn’t know how to handle a piece of personal information?
Check out these other First Reference posts on privacy.
For more on privacy law and employers’ obligations, search for “privacy” on HRinfodesk.
First Reference, Human Resources and Compliance Editor