Call today! 1 866 3 NYMITY
Username: Password:
Nymity News
Nymity logo
Home About Us

Interview with Ceridian

 

February 2004

 

Terry McQuay, Nymity President, interviews John Wunderlich on privacy at Ceridian. Ceridian Canada is a leading provider of comprehensive human resource solutions to over 40,000 Canadian businesses of all sizes in virtually every industry.


Nymity: John, please provide us an overview of privacy at Ceridian.


Wunderlich: Privacy is an extension of our core business model. Our company's vision is, "To change the world of work". One of the fundamental ways that we can make everyone's work life more comfortable is to assure them of the privacy, as well as the confidentiality, of the information that they pass to us for processing. For us, privacy begins with the protection of our own employees' information. Without that protection, any discussion of protecting our customers' information would be moot. What we have done is to extend our ongoing implementation of best practices for data handling to include privacy as one of the business drivers. This means that privacy requirements are now part of any new project considerations, and are integrated with our client implementation processes. As an international organization, Ceridian deals with the EU privacy directives, and with state and other regulatory requirements in the U.S. Ceridian Canada has created an internal privacy council, composed of senior managers, to provide ongoing oversight and direction to the business.


Nymity: Has privacy regulations had an impact on operations at Ceridian?


Wunderlich: At Ceridian, we already had safeguards and practices in place to protect customer confidentiality and this gave us a substantial head start on meeting privacy requirements. Privacy has had minimal impact on operations as a result. As a matter of fact, I can't think of an operational change that we have implemented that wasn't already on our wish list as either a 'best practice' or other business improvement. Privacy has impacted the pace and timing of some operational changes, and in each case we have ended up with a better internal process.


Nymity: As Ceridian complies with PIPEDA and provincial regulations, please explain your privacy program.


Wunderlich: We are implementing privacy as a three level process. At the highest level we have our privacy policy. This provides high level guidance, and outlines the types of consent and uses for data that we will typically encounter. I don't anticipate that the policy will change very much over time, other than to respond to regulatory or legislative changes. This provides a target for compliance. At the next level, for each functional area of the business we have a privacy standard. This is a document that specifies what data that area holds, what job roles access the data for what purposes, and finally sets out high level practice guidelines. This provides each functional area with ownership of its data, and clear direction on what will be necessary to comply with the privacy policy. This document is agreed to by the business leader of the functional area and the privacy office of the company. The final level contains the concrete procedures and policies each functional area uses to comply with their particular privacy standard. Each area is free to do this in whatever manner it chooses, so long as it can audit and report on compliance with its standard. This allows the business areas the freedom to respond to changing business and process requirements while still meeting privacy obligations.


Nymity: Ceridian completed a detailed privacy impact assessment of your IT systems. Why did you go to this length?


Wunderlich: We elected to do this because so much of our business is built around the processing of data that is privacy restricted and to providing client services based on that data. If we hadn't done a privacy impact assessment, I believe that we would have been letting our clients down. They trust us to meet the highest watermark for protecting their data, and not doing a PIA would have failed to have met that expectation.


Nymity: Please review with our subscribers the process for your Privacy Impact Assessment.


Wunderlich: Our PIA is a simple questionnaire with questions covering each of the first nine principles of the CSA code (Principle 10, complaints, is handled directly by our privacy office). For our initial assessment of the company we distributed the PIA widely to get a granular view of the data contained in the business. On an ongoing basis we will be using it for two purposes. Each business unit will redo a higher level PIA on an annual basis to confirm compliance and for process review. Any new product, project or business process will also complete an assessment at a more detailed level so that we can continue to build privacy into the business. Once the questionnaire has been completed, it is reviewed by the privacy officer. Gaps are identified and the privacy officer will work with the business owner to develop and implement a remediation plan.


Nymity: At Ceridian, who did you choose as your Privacy Officer and why?


Wunderlich: At Ceridian our Chief Privacy Officer is our Director of Corporate Security. This role was chosen because this is the office in our business that is responsible for overseeing a number of data related and compliance issues. Privacy is being integrated into those processes as another audit item for which line managers and data owners will have responsibility.


Nymity: Ceridian IT is recognized as experts in the field of secure transfer of data. Please share with our subscribers some of your consideration in the area of safeguards.

 

Wunderlich: It's kind of a truism that the only safe data is on a secure hard disk....on a secure server.....in a secure room....connected via a secure connection....and that the computer is turned off. As soon as you transmit data there is a small but measurable chance that it will end up somewhere unintended. Our considerations of safeguards are based on customer requirements, our knowledge of technology and a solid cost/benefit analysis. This means that we select proven technologies that provide secure data transfers within the capabilities of our clients. For obvious reasons I can't discuss the technical particulars.


Nymity: What are the compliance issues with regards to outsourcing of employee personal information to Ceridian? Is payroll outsourcing a disclosure or a third party transfer?


Wunderlich: This is one of the first questions that I investigated when I started doing the privacy implementation. After talking to privacy lawyers, practitioners and to regulators it is clear to me that payroll outsourcing is a third party transfer, not a disclosure. We inherit the data with the consent given to employers by their employees for the processing and handling of payroll and HR information and that is what we restrict ourselves to.

 

Nymity: Are you saying PIPEDA does apply to the employee information being transferred, not because it is a commercial activity, but because it is a 3rd party transfer?

 

Wunderlich: No. What I'm saying is that where PIPEDA applies to employee information, which is to say in federally regulated companies or, according to a former Privacy Commissioner, to employers in the northern territories, we receive the information as part of a third party transfer for processing, not as a separate commercial transaction. This identifies that the responsibility for obtaining appropriate consent rests with the employer, and that we can reasonably infer that consent for the services for which we are contracted has been obtained by that employer. The terms and conditions attached to our standard contract identifies this in more formal legal language.


We use a 'high water mark' approach to privacy so we apply this across the board, whether or not PIPEDA actually applies, and we apply it to our own employee information. Employee information is only protected in federally regulated companies under PIPEDA, in B.C. and Alberta under their respective PIPA's, and in Quebec under its private sector law, but all information processed by Ceridian is protected.

 

Nymity: What privacy related questions have are your customers been asking?

 

Wunderlich: There hasn't been a huge number of questions yet. Our customer interactions to date have mainly been either requests for us to demonstrate that we are privacy compliant or just general, "What does privacy mean for employee information" type of queries. Since payroll data is excluded from PIPEDA (excepting federal work and possibly the northern territories), we are faced with the classic patchwork. We are working at being able to supply our customers with the information that they need to determine if their payroll data is covered by legislation or not. At the same time we use a 'high water mark' guideline internally so that we can reassure clients that their data, when transferred to us, will be treated appropriately.


Nymity: Last year, Ceridian updated your employee privacy program, please share with our subscribers the process you went through to review your employee privacy practices.

 

Wunderlich: The largest effort last year, aside from ongoing data security and safeguard work, was our education and training programs. We rolled out a mandatory web based training initiative to all employees in order to ensure that every single Ceridian employee reached a common base level of privacy understanding. We have incorporated the WBT into our Orientation for New Employees program, and plan to do a yearly revalidation through our intranet. Because of this I can comfortably say that over 99% of Ceridian employees have received privacy training. We depend on our people to be our first line of defense to ensure that no one's privacy is violated - this is a natural extension of confidentiality, which has been standard practice for us since our inception as a business. Our technology solutions (access restrictions and the like) are there as tools in support of this initiative.


Nymity: In closing, what recommendations do you have for organization that are creating employee privacy programs?

 

Wunderlich: Work with your staff. Everyone understands privacy at one level or another and most people are more than willing to treat data as they would want their own to be treated if you make them aware of the issues and give them the tools to do the job. Take the time to build privacy as a process. If you attack it as a problem, you may fix it today, but you won't know what to do tomorrow when a privacy investigator knocks on your door.

 

 

 

Now Hiring

 

 

 

 

 

 
Contact Us | Privacy Policy | Terms of Use and Disclaimer © 2003 - 2008 NYMITY