The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #5: Training Employees

The Top 5 Things you probably are not doing (but should be doing) to comply with Canadian Privacy Laws: ISSUE #5: Training Employees

You may have noticed a common theme throughout our last four issues: providing employee training is a key action item in ensuring an effective Canadian privacy compliance program.

Employees are often the “weak link” in an organization’s privacy and data security program. Misdirecting emails, clicking on phishing links, inappropriately disposing of documents, losing unencrypted portable devices and other errors cannot be entirely avoided, but their likelihood can be significantly reduced by providing personnel with appropriate training. When errors do occur or anomalies are noted, employees play an important role in reporting incidents appropriately and in a timely manner so that potential harm can be mitigated.

Employees are also on the “front lines” of administering your organization’s privacy compliance program. They are responsible for a variety of important privacy functions, including designing products, services and initiatives in a privacy-compliant manner, determining whether and when to conduct a privacy impact assessment, selecting, engaging and monitoring vendors who handle personal information (“PI”), obtaining consent to collect, use and disclose PI, and receiving, escalating and responding to data subjects’ requests, questions and complaints. Employees must be adequately trained to implement your organization’s privacy policies and procedures in a consistent and legally compliant way.

Providing employee training is also a matter of compliance with applicable privacy laws. For example, under the federal Personal Information Protection and Electronic Documents Act (“PIPEDA”), an organization is required to train and communicate to staff information about the organization’s privacy policies and practices.

Not all training will accomplish these important goals. An effective privacy and data security training program includes:

• A mandatory training session that all employees must complete at the outset of their employment before accessing PI;
• Ongoing, periodic training sessions to refresh employees on key concepts and address new practices, changes to policies and procedures, developing risk landscapes, and new legal developments;
• Role-specific content, including practical examples of privacy and data security issues that may arise during employees’ day-to-day duties and responsibilities;
• Interactive training activities, such as simulated phishing attacks, discussing case studies or table-top exercises (e.g., working through simulated data breaches); and
• Information about how and to whom personnel should escalate questions, concerns or other circumstances requiring additional support.

A key aspect of training that is often overlooked is the importance of focusing on role-specific training.  Providing employees with generic information about privacy law requirements is often not helpful when they are making decisions as to how they should handle PI in the course of performing their job duties. Furthermore, the type(s) of PI accessible to an employee, and the manner in which that PI should be processed, can vary significantly across different departments.  For example, human resources employees will engage in different data processing activities than customer service personnel.  Each group will need to understand the unique privacy considerations that are relevant to their activities.

Finally, it is important to understand that privacy training does not stop at information security training. Of course, it is important for employees to receive appropriate training to help them protect PI and prevent data breaches by malicious third parties. However, it is equally important for employees to understand other aspects of privacy compliance, such as the limitations that apply to using PI within the organization’s control for a new purpose without fresh consent (or a relevant consent exception). Furthermore, employee “snooping” is still a significant issue, and employees should understand that being granted access to certain PI does not equate to permission for them to review or use that information for any purpose other than performing their assigned job duties.

Action Items

Develop and implement an effective privacy and data protection training program for your organization’s personnel by: (1) developing and delivering training to all new employees before they are granted access to PI; (2) developing, scheduling and delivering periodic refresher training for existing employees, including to revisit important basics and address changes to applicable laws, regulatory guidance and your organization’s policies, procedures and practices; (3) ensuring that existing training materials take into account unique requirements under Canadian privacy laws and regulatory guidance; (4) developing and implementing internal policies and procedures regarding personnel training; (5) developing and making available resources to reinforce concepts learned during training, such as checklists or cheat sheets; (6) maintaining appropriate records of training; and (7) ensuring that contracts with vendors who process PI on your organization’s behalf include appropriate terms addressing the training of vendors’ employees.

McMillan’s Privacy and Data Protection team can help your organization to implement the action items outlined above. Contact your McMillan representative to obtain the support your organization needs to ensure compliance with this critical privacy compliance issue.

by Lyndsay Wasser, Kristen Pennington

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2024