Seasons Greetings and a Happy New Year to all!

Save the Date –Top of Mind webinar -privacy commissioners from across Canada – January 31 noon Eastern

Ontario -updated guidelines re: automated license Plate Readers

Consultation – federal Directive on Automated Decision Making

Life Labs investigation report, Ontario and BC

Privacy cases summarized – Osler, Hoskin & Harcourt

Ontario’s IPC has podcast on indigenous data prospectives

Canada’s privacy Commissioner investigates CRA

Blog

Technology and function creep

February 22, 2018 - Sharon Young, Analyst

“I love technology,

But not as much as you, you see.

But I still love technology.

Always and forever.”

  • Kip from the movie Napoleon Dynamite

Technology takes on a central role in most, if not all, workplaces. It is difficult to imagine a workplace without computers. Further, cloud computing is enabling workplaces to organize themselves far more dynamically while completing tasks efficiently. With all of its benefits, we must be cognizant of technology’s impact upon employee privacy.

“Function creep” occurs when information is used for a purpose that is not the original specified purpose. For example, a workplace may install a security system that requires employees to sign-in or sign-out of the workplace. The purpose of the security system is to prevent unauthorized access to a particular workplace. However, organizations may end up using this information about individual employees to track employee attendance. This could be a privacy breach if the organization has not fulfilled the collections requirements in The Freedom of Information and Protection of Privacy Act (FOIP) and The Local Authority Freedom of Information and Protection of Privacy Act (LA FOIP). For example, if the organization is collecting the information to track employee attendance without informing employees of the purpose for which the information is being collected pursuant to subsection 26(2) of FOIP or subsection 25(2) of LA FOIP, then this would be a privacy breach.

Function creep is often unintended. However, this is not an excuse for organizations to breach employee privacy. Below are some suggestions that organizations could undertake to avoid or stop function creep:

  • Have at least one employee designated as the privacy officer.
  • Have a process in place so that employees (or members of the public) can raise concerns and that those concerns are investigated.
  • Since function creep is often unintended, organizations who learn that technologies or processes that are committing function creep should be open to adjusting so that the function creep is discontinued.
  • Regularly undertake privacy impact assessments (PIA) so they can comprehensively analyze and evaluate how technology impacts privacy. A PIA is a process that should be undertaken not only by the privacy officer, but managers and employees implementing new technology, processes, projects, and/or programs. PIAs require teamwork!

For more information, check out my office’s resource called Technology’s Impact Upon Employee Privacy.

 

Categories: BlogTags: , , ,

Back to Blog