Note: This article was first published in PrivacyScan on May 30, 2014, by the Law Office of Kris Klein on behalf of nNovation LLP. The Law Office of Kris Klein owns the copyright to this article.
Anyone who has paid even casual attention to the news in Canada during the past decade will be aware that stories about privacy – especially those relating to privacy breaches or other privacy-related transgressions – have become commonplace. A growing number of Canadian organizations have had to deal with significant operational disruptions arising from such events. A contributing factor in many of these incidents has been inadequate staff training concerning privacy and data security.
This article briefly examines the legal underpinnings of the growing trend to provide privacy training to employees in Canada before addressing the issues of (i) who should be trained, (ii) what sort of training should they receive, (iii) how frequently should they receive it and (iv) how can the benefits of the training be assessed and effectively reinforced.
The Canadian privacy law setting
An organization considering the establishment of an in-house privacy training program will often raise one key issue at an early stage in its evaluation process: "Do we have a legal obligation to do this?" Given the increasing number of federal, provincial and territorial privacy laws in Canada (there are currently thirty-one, by the author's count, including three laws passed but not yet in force) that govern dealings with personal information and/or personal health information by private, public, health and NGO sector entities, the answer to this question depends upon the sectoral and jurisdictional settings within which the organization operates. Some Canadian privacy laws expressly require organizations to carry out privacy training.
The most significant of these, in terms of the number of organizations affected across Canada, is the Personal Information Protection and Electronic Documents Act (PIPEDA). Sub-article 4.1.4(c) in Schedule 1 of PIPEDA requires an organization to educate its staff members about its personal information policies and practices.
Similarly explicit requirements are found in a number of health privacy laws (e.g., para. 15(3)(b) of Ontario's Personal Health Information Protection Act, 2004), while others impose training obligations via regulations (e.g., ss. 8(6) of Alberta's Health Information Regulation). Training obligations may also arise by "necessary implication" from the wording of a statute, even though there is no specific reference to training on the face of an Act or its regulations. For example, the Information and Privacy Commissioner for Saskatchewan has held that a requirement to provide privacy training can be implied from the provision in that province's Health Information Protection Act that requires each "trustee" to establish policies and procedures that will ensure compliance with that Act by its employees.
Under public sector privacy laws, meanwhile, training obligations typically are imposed through government policy (e.g., the training obligation specified in s. 6.2.2 of the Government of Canada's Policy on Privacy Protection that is applicable to government institutions that are subject to the federal Privacy Act).
Who should receive privacy training?
As it is often difficult to predict the precise scope of personal information collection, use and disclosure by an organization's employees, privacy training should be broadly targeted. Ontario's Information and Privacy Commissioner recently advised: "All employees (including the senior management team, departmental managers, and frontline staff) should [receive] ...privacy training." The Office of the Privacy Commissioner of Canada has consistently recommended that organizations subject to that Act should provide privacy training for both "front-line and management staff". The same Office recently broadened this advice in response to a much publicized privacy breach involving the loss of a computer hard drive by a federal government department subject to the public sector Privacy Act (Employment and Social Development Canada). The Commissioner recommended in that case that a privacy training and awareness program be delivered to all departmental employees.[1] Similar recommendations have been made by privacy regulators in other Canadian jurisdictions, including Alberta, Newfoundland and Labrador, British Columbia and New Brunswick.
In speaking of Saskatchewan's Health Information Protection Act (HIPA), that province's Information and Privacy Commissioner has noted:
As we work to build a strong culture of privacy and confidentiality in and among all Saskatchewan trustees and trustee organizations, all staff of a trustee organization should receive HIPA training. The experience in other provinces with a health information law is that training should involve all employees, volunteers, contractors and students who work in or for a health trustee organization. The content and intensity of the training will reflect the particular roles and needs of different employee groups in an organization but all of those employees and others should have some basic understanding of privacy, confidentiality and HIPA.[2]
Taken together, it appears that the emerging consensus view amongst Canadian privacy regulators is that privacy training should be delivered to all employees of an organization.
What should privacy training be about?
There cannot be a single, standardized template for a Canadian employee privacy training curriculum given the particular nuances of each organization's activities and internal policies/procedures and the host of potentially applicable privacy laws. However, there are a number of common elements that should form part of each training program. Every session should feature the following elements:
- some privacy-related background information that provides context for the training (e.g., why our clients (or co-workers) are concerned about privacy and how the law and, in many cases, the marketplace now oblige us to respect those concerns);
- a discussion of key terms (e.g., what is "personal information");
- a brief review of applicable privacy law(s);
- an examination of key privacy concepts (e.g., PIPEDA's 10 Privacy Principles); (v) a description of the organization's ongoing dealings with, and holdings of, personal information/personal health information;
- a review of the organization's policies and procedures that relate to privacy and data security (e.g., its privacy policy, its data retention and disposal policy, its security policy, etc.);
- an introduction to the organization's privacy officer or team and a description of his/her/their role(s) and responsibilities; and
- a reminder of each staff member's personal responsibilities relating to privacy/data security.
Privacy training is not generally suited to a "one size fits all" approach; employees that are responsible for "front line" dealings with personal information, especially sensitive personal information, will require training that differs in terms of the extent and specificity of its content from training provided to employees who have less frequent contact with personal information. As an example of this approach, in 2013 the Information and Privacy Commissioner of Newfoundland and Labrador held that those employees of a Regional Health Authority who were given user privileges for an electronic medical records system
...should be required to complete privacy training each year that includes completion of a comprehensive privacy tutorial with specific modules on privacy issues related to electronic information systems. Completion of this training should be tracked and linked to an annual renewal of user privileges.[3]
Canadian privacy regulators have not shown any particular preference regarding the format of privacy training – organizations can choose between live and electronic (group or independent study) training in accordance with their own preferences and resources.
How frequently should training take place?
With respect to privacy training in Canada, the old concept of "once and done" no longer meets due diligence requirements in most settings. The frequency of training should vary in accordance with the extent and sensitivity of the target audience's dealings with personal information. As referenced in the preceding section, some Canadian privacy regulators are now of the view that employee groups that continually deal with certain types of sensitive personal information will require detailed privacy training on an annual basis as a condition of employment. Other categories of staff will need less training – but in all cases the training should be updated on a regularly scheduled basis. New hires should receive training appropriate to their respective roles before interacting with personal information under the control of the organization.
How can the benefits of privacy training be assessed and effectively reinforced?
The most effective means of assessing the merits of a training program is to subsequently test trainees' understanding/retention of the information presented to them. Individual testing can take the form of a quiz administered in a live or electronic setting. Alternately, testing could be carried out in a group setting via role playing or team based exercises, which may also have team building benefits. In either case, if the testing results reveal understanding/retention below an acceptable threshold level, the relevant individuals/groups should be designated for re-training. In cases where the personal information with which employees deal if of high sensitivity (e.g., health records), testing should be conducted on an individual basis and consideration should be given to making receipt of a satisfactory test score a condition of service. Persistently high fail rates may be an indication that the test (or scoring) is too difficult. Organizations may wish to direct refresher materials to employees between training sessions to reinforce key training messages.
Summary: Key takeaways
Legal obligation
An organization's Canadian privacy training obligations will depend upon the privacy law or laws that apply to its operations. Depending upon the sector(s) and Canadian jurisdiction(s) within which it operates, an organization may be subject to training obligations arising from more than one such law. If in doubt about which law(s) is/are applicable, consult with your counsel. Bear in mind that not all training requirements are expressly stated in legislation; others may arise via regulations, government policy or by implication.
Who should receive
An organization should deliver privacy training to all of its staff, including volunteers, contractors and students.
Content
Each organization should provide privacy training that reflects its own unique circumstances while also containing certain standard features. The extent and specificity of training may properly vary depending upon the involvement of different staff categories in dealings with personal information, especially sensitive personal information. Training can be delivered live, electronically or as a hybrid of the two.
Frequency
The frequency of training should vary in accordance with the extent and sensitivity of employees' dealings with personal information. Detailed training may be required annually in some cases, while all training should be updated on a regularly scheduled basis. New hires should receive training before interacting with personal information.
Evaluation
Individual or group testing is the best means to assess training effectiveness. Individual testing should be conducted in cases where employees deal with highly sensitive personal information, and in such cases organizations should consider making successful completion of training a condition of service. Consider use of refresher materials between training sessions to reinforce key messages.
About the Author
Rick Shields is a partner with nNovation LLP and has extensive experience developing and delivering privacy training programs.
End Notes
[1] Office of the Privacy Commissioner of Canada, Special Report to Parliament: Investigation into the loss of a hard drive at Employment and Social Development Canada, March 25, 2014.
[2] Information and Privacy Commissioner for Saskatchewan, Report H-2005–002, Prevention Program for Cervical Cancer, April 27, 2005, p. 100.
[3] Office of the Information and Privacy Commissioner of Newfoundland and Labrador, Report PH-2013-001, Western Regional Health Authority, February 11, 2013, p. 25, para. 78f.