Comprehensive, relevant training and reviews key to shore up weak links in data protection
Employees have access to more personal information than ever before. They also process such information using a variety of interconnected electronic devices. An employee’s mishandling of this information or failure to protect their devices may lead to costly and reputation-damaging data breaches, complaints, regulatory investigations, and even litigation.
Providing appropriate, effective employee training on privacy and data protection matters is an important part of developing and maintaining a robust Canadian privacy compliance program. Such training should include information on privacy law requirements, information security, and the organization’s own policies and procedures for handling personal information and electronic devices.
Employees are often the “weak link” in an organization’s privacy and data security program. Indeed, privacy regulators in jurisdictions with mandatory data breach reporting have released a number of reports indicating that one of the most common causes of security breaches is human error.
Misdirecting emails, clicking on phishing links, inappropriately disposing of documents, losing unencrypted portable devices, and other employee errors cannot be avoided entirely, but their likelihood can be significantly reduced by providing personnel with appropriate training. When errors do occur or anomalies are noted, employees play an important role in reporting incidents appropriately and in a timely manner so that potential harm can be mitigated.
Employees and privacy compliance
Employees are also on the “front lines” of administering an organization’s privacy compliance program. They are responsible for a variety of important privacy functions, including designing products, services, and initiatives in a privacy-compliant manner, determining whether and when to conduct a privacy impact assessment, selecting, engaging and monitoring vendors who handle personal information, obtaining consent to collect, use and disclose personal information, and receiving, escalating and responding to data subjects’ requests, questions and complaints.
Employees must be adequately trained to implement their employer’s privacy policies and procedures in the course of all these activities, in a consistent and legally compliant manner.
Providing employee training is also required for compliance with applicable privacy laws. For example, under Canada’s federal Personal Information Protection and Electronic Documents Act, an organization is required to train and communicate to staff information about the organization’s privacy policies and practices.
Conducting effective training
Although training can reduce risks to organizations and the individuals whose information they process, facilitate regulatory compliance, and help avoid costly complaints and litigation, not all training for employees is equally effective to accomplish these important goals. Rather, organizations should implement a structured and targeted training program.
Importantly, privacy and data protection training should not be a “one and done” exercise. An effective training program generally includes a mandatory training session that all employees must complete at the outset of their employment and before they are granted access to personal information as well as ongoing, periodic training sessions to refresh employees on key concepts and address new practices, changes to the employer’s policies and procedures, developing risk landscapes, and new legal developments.
To help demonstrate and reinforce key concepts, organizations can consider incorporating interactive training activities, such as simulated phishing attacks, discussing case studies, or collaborating on table-top exercises (for example, working through simulated data breaches). In some cases, organizations may consider engaging qualified third-party vendors to assist with facilitating these interactive training activities.
Role-specific training for data protection
A key aspect of training that is often overlooked is the importance of focusing on role-specific training, including practical examples of privacy and data security issues that may arise during employees’ day-to-day duties and responsibilities. Providing employees with generic information about privacy law requirements is often not helpful when they are making decisions as to how they should handle personal information in the course of performing their job duties. Furthermore, the types of personal information accessible to an employee, and the manner in which that personal information should be processed, can vary significantly across different departments. For example, human resources employees will engage in different data processing activities than customer service personnel. Each group will need to understand the unique privacy considerations that are relevant to their activities.
It is also important to understand that privacy training should not stop at information security training. Of course, it is important for employees to receive appropriate training to help them protect personal information and prevent data breaches by malicious third parties. However, it is equally important for employees to understand other aspects of privacy compliance, such as the limitations that apply to using personal information within the organization’s control for a new purpose without fresh consent (or a relevant consent exception). Furthermore, employee “snooping” is still a significant issue, and employees should understand that being granted access to certain personal information does not equate to permission for them to review or use that information for any purpose other than performing their assigned job duties.
Timely responses to data breaches
Data protection training should also include information about how, when and to whom personnel should escalate privacy-related questions, concerns, or other circumstances requiring additional support. It is important for organizations to respond to high stakes scenarios (such as potential breaches or complaints) in a timely manner, and they can’t do so if the relevant stakeholders aren’t promptly informed about potential problems.
Finally, effective training should also provide employees with the chance to ask questions. Training is an opportunity to open up a dialogue about privacy and data protection, which will ultimately increase employees’ commitment to the organization’s policies and underlying values.
Important steps when developing and implementing an effective privacy and data protection training program for personnel include:
- Developing and delivering training to all new employees before they are granted access to personal information and updating internal onboarding processes to ensure that such training is consistently provided.
- Developing, scheduling, and delivering periodic refresher training for existing employees, including revisiting important basics and addressing changes to applicable laws, regulatory guidance and the organization’s policies, procedures and practices.
- Ensuring that existing training materials take into account unique requirements under Canadian privacy laws and regulatory guidance, particularly if such materials were initially developed for compliance with privacy laws in other jurisdictions.
- Developing and implementing internal policies and procedures regarding personnel training.
- Developing and making available resources to reinforce concepts learned during training, such as checklists or cheat sheets.
- Maintaining appropriate records of training, including the dates when such training is provided to each employee and copies of all training materials.
- Ensuring that contracts with vendors who process personal information on the organization’s behalf include terms requiring vendors to provide appropriate training to their employees.
Taking these steps will equip an organization and its personnel with the tools needed to facilitate greater protection of the personal information entrusted to them by customers, employees, members of the public, and other relevant individuals.
Lyndsay A. Wasser and Kristen Pennington are both partners at McMillan LLP in Toronto, specializing in privacy & data protection and employment & labour relations.