Key privacy protection tips for federal human resources professionals

July 2016

Human resources professionals in federal institutions are often involved in very sensitive employee matters requiring discretion. This includes handling personal information related to staffing, employee/employer relations and recourse processes along with personal health and wellness matters. Unintended disclosure of such personal information can have a real impact on employees’ overall workplace well-being.  

The following tips come from real-life examples of Privacy Act investigations by the Office of the Privacy Commissioner of Canada. The lessons learned can help you and your team better respect employee privacy and advise your clients to do the same.

1. Guard against information being shared with unintended recipients

One of the most common causes of data breaches reported to our Office relates to the sending of personal information to unintended recipients. In one specific case, an employee requested her personnel file, but it was sent to another employee with a similar name, and a complaint to our Office was deemed well-founded. Following our investigation, the department implemented new mandatory steps for processing such requests from employees. It committed to matching both the name and the employee’s identification number before sending out a personnel file and requiring a supervisor-level review and approval before releasing a personnel file.

2. Take extra care when sending personal information to groups electronically

We have seen multiple cases where information about a staffing process has been emailed to all candidates, revealing their names, email addresses and the fact that they were involved in the process to one another. Institutions have been advised to ensure that the “BCC” field is used for these types of emails.

3. The same information can sometimes be considered “personal” to more than one employee

Parties in recourse proceedings must be advised that they should treat these matters with utmost discretion. An organization’s employee complained to our Office that a manager against whom she had filed a harassment complaint had shared this fact in a staff meeting. On one hand, the manager was sharing her own personal information. But on the other hand, in doing so, she also disclosed someone else’s.

4. Documents need to be vetted carefully to guard against unintended disclosure

In response to a call from a tribunal examining a staffing process for relevant documents, a department submitted candidate interview notes. Although the tribunal specifically requested that medical and other sensitive personal information be stripped from any submitted files, the notes included information about one candidate’s medical history. This led to a breach report. The case highlighted the need for file submissions to be vetted appropriately before being submitted.

5. Collect only information that is  absolutely necessary for accountability when approving medical or family-related leave

In one specific matter, an individual filed a complaint about an institution’s request for personal information in connection with applications she had made for special paid leave to take care of an ailing relative. The application form called for personal information of the applicant and others, including the names of the sick relative and the person who normally provided care for that person, along with the names, relationships and ages of the household’s other members. Following our investigation, the institution agreed to collect only the personal information that is absolutely necessary for the proper administration of the leave and stopped collecting the names of third parties.

6. In the course of fitness to work evaluations, institutions should only share information that is factual, objective and pertinent 

In one matter brought to our Office, a complainant alleged that, after her acting director requested an evaluation, her employer sent too much of her personal information to Health Canada – information beyond what was required for the purpose. This included information tied to a past harassment investigation, along with several doctor’s notes, all provided without her consent. We found that there was no evidence to suggest that the medical certificates were directly relevant to, or necessary for, the purposes of the assessment.

7. Just because personal information is on a website doesn’t mean you can collect it.

An activist whose organization had filed a lawsuit against the federal government complained to our Office about two departments monitoring her personal Facebook page. Under the Privacy Act, personal information collected must be directly related to a government operating program or activity. Our investigation concluded that some of the personal information collected was not obviously relevant to the two departments’ work. The key lesson to take away from this case is that, under the Privacy Act, restrictions on collecting personal information apply, whether that information is available publicly or not.   

8. Know your role(s) and compartmentalize personal information accordingly

Human resources professionals play multiple roles in an organization, so it’s important that they silo information brought to them accordingly. In one investigation, we found that personal information provided in confidence by an employee to a human resources officer acting as her harassment advisor was improperly disclosed to a manager in the course of a staffing process in which the complainant was involved. The officer disclosed the nature of the issues the complainant was having with her current supervisor and, as a result, an offer of employment was withdrawn.

In order to prevent privacy problems like these, human resources managers should think ahead and equip themselves with knowledge to head-off issues before they become problems by, for example:

9. Making privacy training a priority

Human resources professionals have high access to significant employee personal information, which can mean high risk. As a result, it’s important that human resources teams are knowledgeable about Privacy Act requirements when handling personal information and advising clients on sensitive personnel matters.

10. Engaging your organization’s ATIP team for guidance

Knowing that even the most proficient human resources professional won’t know all the answers all the time to privacy-related questions, it’s important to open and maintain a strong line of communication with an institution’s Access to Information and Privacy unit to get guidance when in doubt.