The five ways of a strong privacy officer

It has been a few years since Carswell published its Managing Personal Information text, but this morning I had cause to look up a chapter on information governance that I contributed. I had forgotten about what I had written about the qualities of a privacy officer, but liked what I read and thought I would share it here.

Acting in support of self-policing is not an easy role. With this in mind, here is a list of good behaviors for privacy officers to demonstrate:

  • Flexibility. Privacy officers should understand that few things required by privacy statutes are black and white and should be prepared to accommodate reasonable business risk.
  • Creativity. Privacy officers should be prepared to help line managers think creatively about how to manage around privacy-related constraints in a responsible manner.
  • Benign skepticism. Privacy officers should give others the benefit of the doubt, while also looking diligently for objective evidence of non-compliance.
  • Fairness and consistency. Privacy officers should take an even-handed approach to their duties, treating all departments and employees in a principled and objective manner. They should deal with similar scenarios in similar ways.
  • Empathy. Privacy officers should communicate the rules with a view to helping audience members comply and should be understanding of audience members’ business demands.

Privacy officers should strive to foster and protect their credibility with line management. This involves demonstrating unwavering commitment to the principles underlying their privacy programs, yet a willingness to apply those principles in a manner that invites respect and keeps “doors open.”

Thank you Claudiu Popa for involving me in your book project. For more about Managing Personal Information and to purchase a copy see here.

Workplace privacy panel at the #CIAJ “Privacy in the Age of Information” conference

I’m mid way through the Canadian Institute for the Administration of Justice “Privacy in the Age of Information” conference in St. John’s Newfoundland. It’s been a great conference so far, with quality presentations on tough administration of justice like issues like cyberbullying, the right to be forgotten and state surveillance.

My contribution was on the workplace privacy panel with Paul MacDonald of Cox & Palmer (as moderator), Emma Phillips of Sack Mitchell and Melanie Beuckert of the Court of Appeal of Manitoba. I started with a short “management perspectives” address and then Emma and I debated a variety issues, including computer access and monitoring, off-duty conduct and the exclusion of surveillance evidence at labour arbitration. Melanie played the “straight person” role wonderfully. It was fun, and I advanced my thinking about these issues significantly.

In preparation I worked up the speaking notes below, which capture some of the ideas I contributed to the discussion.

Cole and Tsige: Clarifying the implications in the workplace

This is the title of an OBA panel discussion I participated in today with Christopher Du Vernet, counsel to Sandra Jones in the 2012 case that created our intrusion upon seclusion tort. These are my speaking notes.

The other side of the balance: employer interests, work systems and R v Cole

Here’s a link to a essay that describes the impact of the Supreme Court of Canada’s in R v Cole – the work system privacy case. I appeared with my colleague Joseph Cohen-Lyons on behalf of the Canadian Association of Counsel to Employers, and the paper represents the intellectual end point of a great experience. Whether you agree with the position or not, I hope it sparks some ideas!

Acceptable use policies – answers to ten common employer questions

I’ve been doing substantial work on employer acceptable use policies lately and would like to publish a draft Q&A for feedback.

If you have feedback please comment or send me an e-mail.

Dan

1. What should employers do today to ensure their acceptable use policies effectively manage the implications of personal use?

In light of recent developments, employers should ensure that their acceptable use policies (1) articulate all the purposes for which management may access and use information stored on its system and (2) make clear that engaging in personal use is a choice employees make that involves the sacrifice of personal privacy.

2. What are the most common purposes for employer access?

Consider the following list: (a) to engage in technical maintenance, repair and management; (b) to meet a legal requirement to produce records, including by engaging in e-discovery; (c) to ensure continuity of work processes (e.g., employee departs, employee gets sick, work stoppage occurs); (d) to improve business processes and manage productivity; and (e) to prevent misconduct and ensure compliance with the law.

3. How should employers describe the scope of application of an acceptable use policy?

Acceptable use policies usually apply to “users” (employees and others) and a “system” or “network.” To effectively manage employee privacy expectations, policies should make clear that devices (laptops, handhelds…) that are company owned and issued for work purposes are part of the system or network even though they may periodically be used as stand alone devices.

4. Should employers have controls that limit access to information created by employees even though they don’t want to acknowledge that employees can expect privacy in their personal use?

Access controls are an important part of corporate information security. Rules that control who can access information created by employees (e.g., in an e-mail account or stored in a space reserved for an employee on a hard drive) are, first and foremost, for the company’s benefit. Access controls should be clearly framed as being created for the company’s benefit and not for the purpose of protecting employee privacy.

5. How should passwords be addressed in an acceptable use policy?

Password sharing should be prohibited by policy. Employees should have a positive duty to keep passwords reasonably secure. An acceptable use policy should also make clear that the primary purpose of a password is to ensure that people who use the company system can be reliably identified. Conversely, an acceptable use policy should make clear that the purpose of a password is not to preclude employer access.

6. Does access to forensic information raise special issues?

Yes. Acceptable use policies often advise employees that their use of a work system may generate information about system use that cannot readily be seen – e.g., information stored in log files and “deleted” information. It is a good practice to use an acceptable use policy to warn employees that this kind of information exists and may be accessed and used by an employer in the course of an investigation (or otherwise).

7. How should an employer address the use of personal devices on its network?

Ensuring work information stays on company owned devices has always been the safest policy, though cost and user pressures are causing a large number of organizations to open up to a “bring your own device” policy. Employers who accept “BYOD” should use technical and legal means to ensure adequate network security and adequate control of corporate information stored on employee-owned devices. For example, employers may require employees to agree to remotely manage their own devices as a condition of use and with an understanding that they will sacrifice a good degree of personal privacy.

8. Should an acceptable use policy govern the use of social media?

Only indirectly. An acceptable use policy governs the use of a corporate network. A social media policy governs the publication of information on the internet from any computer at any time. In managing social media risks, employers should stress that publications made from home are not necessarily “private” or beyond reproach, so putting internet publication rules in an acceptable use policy sends a counter-productive message.

9. Should employers utilize annual acknowledgements?

Annual acknowledgements are not a strict requirement for enforcing the terms of an acceptable use policy but are helpful. The basic requirement is to give notice of all applicable terms in a manner that allows knowledge to be readily inferred in the event of a dispute. “Login script” with appropriate warning language is also common and helpful. Nowadays, a good login script will say something like, “If you need a confidential means of sending and receiving personal communications and storing personal files you should use a personal device unconnected to our system.”

10. Are there special concerns for public sector employers?

Most public sector employers in Canada are bound by the Canadian Charter of Rights and Freedoms and by freedom of information legislation. Many have workforces that are predominantly unionized. The guidance to public sector employers on their acceptable use policies is no different than to employers in general, but the need to manage expectations that employees may derive from personal use is particularly strong for public sector employers given the legal context in which they operate.