This edition of the Information Roundup is brought you by Twitter.
No kidding! I’ve been on it for about a week and half now and it’s caused quite a switch in how I pick up information from the web. Many thanks to the folks at Unfiltered Orange, who are the likely source of two out of the three topics that I think will interest you this week. They relate to… personal e-mails on work computers, the management of social insurance numbers by employers and National Instrument 31-103 and security firm record-keeping.
Personal e-mails on work computers
Personal use of employer computer systems is a pet issue for me, and I was blown away to read about how “personal” e-mails on work computers are treated under European data collection laws in Data Collection: Nothing Personal. This article, by litigation support professional Bill Onwusah, describes how European companies have to mind their process of collecting e-mails for production in litigation so that employees’ personal e-mails are not collected for subsequent review. He says:
Particularly in mainland Europe, you cannot collect personal data and the mere act of doing so may contravene the local data protection legislation. The fact that it’s stored on a work PC is irrelevant. Users retain personal data as their own.
Wow! Canadian law still allows employers full control over their e-mail systems provided they give employees notice that they should not expect any privacy in their personal use. Most of the jurisprudence is arbitral and therefore based on collectively bargained rights, but our employment privacy statutes do not necessarily change this basic rule. And recently, in Johnson v. Bell Canada, our Federal Court held that our federal-sector employment privacy statute, PIPEDA, does not even apply to “personal” employee e-mails.
My view is that managing personal information in the production process is a newly important issue for Canadian organizations to reckon with insofar they are willing custodians. Employee personal e-mails do not fit within this category and, given the costs and complexities of of managing production from “mixed” e-mail systems, an approach that relies on clear notification makes for fair and sensible workplace policy.
Management of SINs by employers
This Proskauer Rose client alert talks about a recently in force New York regulation that deals with employers’ management of Social Security Numbers and other employee “personal identifying information” – including drivers license numbers.
I don’t believe we have similar legislation regarding drivers licenses in any Canadian province, but our Social Insurance Numbers are regulated by section 237(2)(b) of the federal Income Tax Act. This provision prohibits employers from using, communicating or “allowing to be communicated” a Social Insurance Number for purposes not related to tax administration without written consent. Our clients often ask whether SINs (or a variant of them) can be used as identifiers and we generally advise them to stay away from such practices in light of the ITA.
Proskauer also notes that New York’s General Business Law appears to allow employers to collect an SSN on an employment application form. Since there is no purpose related to tax administration for doing so, this practice is rightly avoided in Canada. If a Canadian employer needs to ask for a SIN to conduct a background check, this should generally be done towards the end of the recruitment process subject to written consent.
National Instrument 31-103 and security firm record-keeping
I’m just starting my learning process on National Instrument 31-103, so will just link to this Wall Street Technology article on how this new piece of securities regulation will affect record-keeping and e-discovery at Canadian securities firms.
On a personal note, Seanna was off at Deerhurst this week for a five day sales conference. Being a single father was rewarding and not as hard as I thought it would be, but I’m still recovering from being a solo bedfellow to our hairless cat. “Buffalo” is a Cornish Rex and, if you know the breed, they are very lovable and very needy. He normally sleeps under the covers with his head on Seanna’s pillow. She’s fine with this and I’m happy to give them both a kiss when I leave early to work. (He’ll actually protest if I ignore him!) Dear Buffalo, however, drives me nuts when Seanna goes away. I finally got fed up on her last night of absence and locked myself in the walk-in closet with a sleeping bag. Not to slight Seanna in any way, but I’m sure glad to have my side of the bed back!
See ya!
Dan
All About Information 
Wow, the IT techs in mainland Europe must be busy setting apart all those personal emails from the business communications. I can imagine how time consuming that is, and costly probably.
In Massachusetts, the CMR 17.00 law, which was to go into effect on Jan 1, 2009 has been pushed back to May ’09, due to business lobby concerns I am sure.
But, hard disk companies are already gearing up to take advantage of the the law’s requirement in Massachusetts. When it takes effect, companies that store name, address,etc., along with credit card or financial account numbers on their system have to protect it better than ever before or risk being sued or fined.
One hard drive company sent me an email with a brochure describing their USB external hard hard drive model that has all the pre-req encryption stuff built in. The subject line in his e-mail mentioned the new upcoming law.
Interesting!