Five key ways to protect your workplace - and employees' privacy
This article is a condensed and adapted version of the OIPC’s guidance document, “IT Security and Employee Privacy.”]
We all expect public bodies and businesses to secure their IT networks against outside threats—but what about those that can occur inside your workplace? Software tools can provide some protection, but they can also lead to the unintended collection of your employees’ personal information.
Whenever an employee uses their workplace computer during their lunch break, for instance, to check their online banking, access medical laboratory results or communicate with a spouse to plan daycare pickup, personal information could be in play. A security tool that is monitoring, tracking or auditing that activity may be collecting the personal information of employees.
There are legal limits on when public and private sector companies can collect, use, or disclose personal information under provincial privacy laws. While there is no one-size-fits-all solution, the following tips will help ensure your IT security protocols comply with B.C.’s privacy laws.
1. Make sure IT and procurement staff consult with your privacy officer when considering new security tools and protocols
Whenever you are considering a new security protocol, your IT and procurement staff should be in close communication with your organization’s privacy officer or legal counsel before decisions are made about implementation, as well as throughout the implementation process. There are solutions that address privacy and system security, but you need to ensure that both interests are fully considered at all times.
2. Complete a privacy impact assessment
One of the best ways for organizations to assess privacy risks of any program, policy or software is to complete a privacy impact assessment. This will ensure you have planned not only how the program will work, but also what type of personal information you will collect and how you can mitigate any potential privacy concerns. Do this work in the early planning stages; don’t wait until after you have purchased a software tool or monitoring devices that might put you off-side privacy law.
3. Provide notice to your employees
Your employees are entitled to know what information your organization is collecting about them when they use workplace computers, networks, and work-issued smart devices. This information is typically provided for in an employer’s Terms of Use policies that are signed by employees upon starting a new job. You should draft these notices carefully.
State the purpose of the program, the statutory authority for the collection of personal information that results from their IT security protocols, and give the contact information of someone who can answer your employees’ questions. Employers should also be prepared to explain to employees how the technology works, the extent of the personal information they will collect, and what will be done with that information.
4. Do not engage in continuous, real-time collection of personal information about employees
Ongoing or real-time collection of personal information from employees, such as keystroke logging and screen capturing, should be restricted to targeted investigations where there are reasonable grounds for suspicion or wrongdoing, and then only when other less privacy-intrusive measures have been exhausted.
5. When in doubt, ask the OIPC
Our office welcomes questions about any type of IT security you might be considering. We can help identify compliance challenges and discuss potential solutions to problems. Employees can also contact us with questions or concerns about privacy rights in the workplace.
Click here to read the entire OIPC Guidance Document, IT Security and Employee Privacy: Tips and Guidance.
