TORONTO — Canada’s privacy commissioner George Radwanski is urging HR professionals to build a privacy policy into their employee records-keeping systems before implementing changes to IT.

Doing due diligence up front will

help prevent potential employee/employer conflicts over personal files down the line, he said. “”‘Oops’ is not a defence when it comes to violations of privacy,”” said Radwanski, who Wednesday addressed a group of public and private sector human resources managers.

Several Canadian provinces are in the process of designing privacy legislation and may take their cue from the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which governs federally-regulated industries like banking and broadcasting and began rolling out earlier this year.

The guiding principle behind PIPEDA is the “”reasonable person test.”” Would a reasonable person consider a privacy stipulation appropriate under the circumstances? “”That’s one of the most important provisions of the PIPED Act, and I expect it to figure in provincial legislation too. It’s sort of a privacy touchstone,”” Radwanski said.

“”Even if you happen to be in a province that doesn’t pass such legislation,”” he added, “”you’re going to have a pretty unhappy work force if you disregard their privacy rights in ways that would be illegal in most other provinces.””

Radwanski said issues to be addressed before installing or updating a personal records management system include: the type of information collected, the person collecting it, the range of consent provided by employees, and how it will be linked to existing data.

It’s important to pinpoint the individual who is in charge of all these provisions and make sure employees are kept in the loop through the project. It’s also an excellent way of making sure that everyone involved — HR personnel, IT staff and the affected employees — understands the system and their access rights, he said.

The challenges of records-keeping and meeting the strictures of privacy legislation are numerous, said Wendy Chiu, director of human resources management systems, Rogers Communications Inc., based in Toronto. But the situation can be more complicated when a third party is introduced. Rogers doesn’t outsource its HR functions, said Chiu, but is getting its insurance and pension providers more involved in records management. “”Although there’s definite efficiencies and savings that come out of that . . . you have to make sure employees are aware that is being done.””

Rogers is also moving to more of a self-service model for employee benefits, which means employees will be accessing and providing data online. For every change made to internal HR systems, there is an accompanying review, said Chiu, to ensure privacy measures are in place. But, she said, “”the technology is getting implemented at a fairly quick rate. Overall, I think there needs to be a better understanding of what (privacy legislation) means to us as we move some of this stuff online.””

Even existing legislation like PIPEDA can’t cover all the bases, said Radwanski, and it’s up to companies and government agencies to observe the spirit of the law as much as the letter. Employee consent to data collection is at the core of PIPEDA, he said, and it behooves employers to bear that in mind. “”If you don’t do it, nine times out of 10, it won’t be a problem,”” he said. “”But on the 10th time it can be a pain. You can’t go wrong by seeking consent.””

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+