Interview with Baker & Mckenzie

September 2004

Terry McQuay, Nymity's President, interviews three of the speakers at the upcoming Records Protection, Retention and Destruction workshop that will take place on September 29th.  This workshop was created in association with Baker & McKenzie and each of the interviewees are lawyers with the firm.  The three short interviews focus on the privacy considerations with records management and are presented to encourage you to understand the value of attending this workshop.

INTERVIEW with Jonathan D. Cocker

Nymity: Why have record protection, retention and destruction become such important issues to organizations in Canada?

Cocker: Prior to the introduction of personal information protection laws in Canada, organizations would often adopt an ad hoc approach to record retention. In many instances, decisions on record retention and destruction were based on available storage space and not on good corporate management. The new privacy law era has forced organizations to rethink their record management practices.

Nymity: What challenges do organizations face in managing their personnel records?

Cocker: Employee information is always among the most sensitive information that an organization will possess. Personal information protection laws have only intensified the scrutiny that employers are under in managing this information. The first task employers must undertake in becoming privacy compliant is looking inward to determine what their present record protection and retention practices have been. Many will not like what they’ll find.

Nymity: How should employers deal with hiring documents?

Cocker: There is a great deal of confusion around employer obligations to manage hiring intake documents, particularly where the applicant is ultimately unsuccessful. Some provinces require these documents to be retained for specified periods in order to permit applicants the ability to access these records. Organizations must develop a clear and transparent policy around their retention of hiring documents that satisfies the requirements in all of the relevant jurisdictions.

Nymity: What are the rules around retaining medical records?

Cocker: As your probably aware, there are a myriad of laws that address the protection and retention of medical records, including the new Ontario Health Information Protection Act. Understanding which laws apply, and how to deal with the competing obligations is critical for anyone who has responsible for managing employee medical records.

Nymity: What are the limits to an employer’s right to learn and communicate employee personal information?

Cocker: There is often a natural inclination for employers to seek to learn more about its employees than is essential for the employment relationship. While collecting this kind of extraneous information has never been a good practice, in my view, the new privacy laws now clearly check these activities. Further, they obligate employers to review all of their existing personal information and destroy anything that’s no longer necessary.

Nymity: What are the new rules around giving references?

Cocker: The good old days where human resources personnel would simply phone their counterparts at other organizations for information on prospective candidates have gone forever. Today, clear and reasonable consents must be given in order for any information to be shared. Many organizations are instituting new reference procedures to address the new privacy law regime.

Nymity: Why do you think that access rights have created such a stir among employers?

Cocker: It is generally not the payroll or other employment administration documents that employers are concerned to disclose. Rather, it is the performance documentation, including the source documents not typically provided to employees during performance reviews, that are worrying to employers under the new privacy laws. We have started to see employees and their counsel seeking access to these documents in advance of bringing claims against employers, particularly following a termination of employment. Organizations must know how long they must keep these records and what to do in the event access is sought.

Nymity: Where does the law stand regarding e-monitoring?

Cocker: Disputes over employers’ rights to monitor employees’ use of workplace email and internet systems has been a real privacy battleground. Employers need to know when and how they are permitted to electronically monitor their employees and, further, what the appropriate response is in correcting misconduct. The old practice of adopting a “zero tolerance” policy doesn’t work anymore.

INTERVIEW with Lisa M. Douglas

Nymity: Have record retention periods changed as a result of recent developments in Canadian privacy law?

Douglas: In the past, organizations that wanted to avoid developing a comprehensive and customized records retention and destruction system often would keep business records indefinitely, limited only by space constraints. Other organizations would develop a “quick and dirty” retention schedule based on minimum statutory retention periods for different classes of records. Even those that managed to create a comprehensive retention policy tended to focus on issues other than privacy in arriving at the most appropriate retention period for their business records. However, today’s privacy law environment requires every organization in Canada to implement a records retention and destruction system that not only complies with the minimum statutory retention periods and reflects the organization’s own culture of risk sensitivity, but that also ensures that personal information is retained no longer to satisfy its intended purposes. In effect, there is now a “privacy overlay” that must be considered in conjunction with the pre-existing retention requirements.

Nymity: How can organizations ensure that their records retention and destruction policies are compliant with both privacy law and other laws affecting document retention

Douglas: One method of merging both objectives would be to take an existing records retention schedule and identify which classes of records contain personal information, and then analyze the purpose and use of that information. The legal retention period will be the longer of either (i) the statutory minimum retention period for the particular class of record, if any; and (ii) the period for which the personal information is necessary for its intended and expressed purpose.

Nymity: So is it safe to assume that an existing records retention policy that was prepared a couple of years ago just needs a privacy analysis for relevant classes of records in order to make it fully compliant?

Douglas: Unfortunately, that is probably not a safe assumption, at least in the Province of Ontario. A new Limitations Act came into force in Ontario on January 1, 2004, which has fundamentally altered the time in which legal proceedings must be commenced in this province. This development, in turn, has important new implications for records retention that should be considered along with the privacy law developments.

INTERVIEW with William Karam

Nymity: Is privacy law impacting the IT aspects of how companies carry on business?

Karam: Yes, technology is having an unprecedented impact how today’s most successful companies carry on business. As companies use technology to streamline many core business activities, such as payroll administration, employee performance reviews, and customer relations management, IT departments are becoming intersections though which almost all company data flows. As a result, IT staff and/or IT service providers now play an integral role in how companies interact with their employees and customers, as well as how they manage related personal information. It is now consequently very important that IT personnel understand their role and responsibility in relation to a company’s implementation of and compliance with its privacy and personal information practices and procedures.

Nymity: Do privacy laws impact how companies and their IT personnel should access data and personal information?

Karam: Yes, many businesses have typically taken a laissez-faire approach to how their IT personnel access company data. In fact, at many companies, IT personnel often have broad widespread access to almost all data and personal information that the company retains in electronic form. New privacy laws, however, require that company personnel only access and use personal information as is reasonably necessary in order to perform their job responsibilities. As a result, IT personnel should only be accessing personal information when necessary and pursuant to company privacy policies and procedures.

Nymity: Are there any privacy law issues that companies should be aware of when outsourcing services or disclosing data to third parties?

Karam: Outsourcing of IT services or other business processes, such as payroll or benefits administration, often involves the disclosure or transfer of significant amounts of data and personal information related to a company’s personnel and/or customers. Privacy laws, provide that a company is responsible for all personal information in its possession or custody, including any personal information that it entrusts to a third party. As such, companies are now required to take protective measures, by way of contract or otherwise, to ensure that third parties to which they transfer Personal Information comply with privacy laws and the company’s privacy policies and procedures, including those related to records management.