The Capital One Data Breach has been big news lately, and for good reason. It’s a big deal. This breach compromised the data of over 100 million Capital One customers. Instead of a shadowy overseas hacker or a creepy crawler from the dark web, the hacker was a former employee of the cloud hosting company through which Capital One stored their data (unconfirmed, but likely Amazon Web Services). She hacked through Capital One’s firewall to access information stored on the Amazon cloud. See women can be hackers too! This particular woman is now in US federal custody.
Allegedly, Capital One configured a web app incorrectly, which created the vulnerability through which the hacker was able to access the server and the data.
This situation is a nightmare for all involved – the customers, Capital One, and perhaps Amazon – and serves as a good opportunity for us to remind users about data security and workplace privacy.
Data governance in Ontario
Every modern workplace should have a data governance policy, especially now as it is becoming more common for employers to digitally store an employee’s entire work life that the employer may or may not be diligently protecting. The data governance policy may differ depending on your workplace and jurisdiction. The majority of Ontario workplaces are provincially regulated and employee information is not subject to any specific privacy or data governance law, with the exception of those that deal with private health information. Workplaces that deal with private health information – generally these are just bodies in the medical field – are governed by the Personal Health Information Protection Act. Even where no specific law applies, employees are entitled to a reasonable expectation of privacy in the workplace.
The federal privacy legislation, Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to federally regulated private sector business (banks, telecommunication, interprovincial transportation, etc.) It governs personal information generally, and not just personal health information.
While PIPEDA only applies to employers in federal works, undertakings and businesses, adopting a PIPEDA-inspired standard in the workplace can benefit employers looking to strike a balance between their employee’s right to preserve their privacy and their right to collect and retain information critical to the functioning of their business.
Data governance policies
Schedule 1 of PIPEDA includes a list of 10 basic principles that businesses should use in order to ensure their use and storage of private data is reasonable. These rules are also reflected in various provincial private sector privacy laws and are frequently cited in privacy caselaw and arbitral decisions in Ontario. This list should provide employers in Ontario with the tools required to properly manage their employees private information, which provides the employer with added protection in the event that their data finds its way into the hands of hacker.
- Organizations are accountable and responsible for the data they manage.
- Organizations should inform individuals of the personal information it collects from, why it collects it, and what it does with it.
- In most instances, an employee should be given an opportunity to consent to the collection, use or disclosure of their personal information.
- The information collected by an employer should be necessary for the purpose identified and should be collected using fair and lawful methods.
- An organization should only disclose personal information for the purpose it was originally collected and store information only for as long as originally specified, unless the individual consents to other uses or there is a legal rationale for disclosing the information.
- An individual’s personal information should be accurate, complete, and up-to-date.
- Personal information should be protected using adequate safeguards.
- Individuals have the right to access their personal information and the right to have their information corrected.
- Organizations are required to give employees the means to challenge an organization’s compliance with these principles.
While Ontario lacks privacy legislation and thus cannot require employers to implement PIPEDA compliant privacy policies in their workplaces, employers should be mindful that employees do have avenues of recourse if their personal information is accessed or disclosed without their consent. In the landmark privacy case in Ontario, Jones v. Tsige, the Court of Appeal recognized employment information as one of the categories of personal information that could be highly offensive to invade. Employees have successfully relied on this case when their employers have used their personal information inappropriately or required them to undergo invasive tests where highly personal information was collected.
Takeaway for employers
With the stakes being what they are, it may be pragmatic for employers to simply limit data collection to information that is absolutely necessary for the functioning of their business rather than going on fishing expeditions under the guise of improving safety and security. Following the principles expressed in PIPEDA’s Schedule 1 seems like a small concession when you consider the potential havoc a privacy breach could create within an organization. In the event of a breach, having less will certainly provide more peace of mind.