Handling Personal Information: Q&A with Megan Sheppard of Benson Buffett
Do you use Facebook, Twitter or any other number of social media platforms? Have you ever filled out an online survey, or signed up for a newsletter or a service of some kind? Chances are, you were required to provide some personal details before you hit the submit button. But have you ever given much thought about the kind of information you’re offering, or how it’s being used? What if your organization has ever collected such information - can you ensure it’s protected?
Megan Sheppard and Melissa Royle, Associate Lawyers with Benson Buffett, will lead a workshop on February 27 at St. John’s City Hall titled “Handling Personal Information” to give participants the lowdown on privacy, protecting sensitive information and doing their due diligence. Megan recently chatted with Business & Arts NL to talk care, compliance and potential consequences of mishandling personal information.
Business & Arts NL: Privacy (especially when it comes to one’s online activities) is a hot topic these days. What are some of the worst consequences of not being diligent with handling personal information?
Megan Sheppard: It is no secret that social media companies amass a staggering amount of personal information from its users. Users give their personal information willingly, but may not fully understand the way their information is being used, or the associated privacy risks.
Canada’s Privacy Commissioner pointed out a few years ago that in addition to the preferences, habits, and social interactions of their users, social media companies collect vast amounts of background information that is not visible on public profiles, including search histories, purchases, Internet sites visited, and the content of private messages. She pointed out that all of this data allows social media companies – using sophisticated algorithms – to analyze user behaviour in order to refine their services. It also enables others, such as employers, school administrators, and law enforcement to learn more about individuals and their activities.
I think some of the worst consequences of not being diligent with handling personal information as it relates to social media can include:
· Being subject to a privacy breach;
· Impacts on employment such as being disciplined or terminated where offensive and/or threatening messages are posted on social media;
· Cyber-bullying;
· Civil actions (for example: defamation for comments on social media platforms)
Business & Arts NL: What, in your view, are some of the best methods/systems out there for safeguarding and storing personal information?
MS: Organizations must keep in mind that the more sensitive the information is, the stronger the safeguards must be. Organizations need safeguards that not only protect against loss or theft, but also unauthorized access, disclosure, copying, use or modification. Some of the best methods you can use to safeguard information are relatively easy to implement and may include:
· Locking filing cabinets;· Securing a fax machine which receives sensitive information in a room accessible to a limited number of employees;
· Organizational measures such as security clearances and limiting access on a “need to know” basis;
· Use of strong passwords and encryption of laptops and mobile devices;
· Extra caution being exercised when working in public spaces.
The issue of collecting too much information should also be considered – organizations must limit the personal information they collect to that which is necessary for their purposes.
Business & Arts NL: Your session will look at the Personal Information Protection and Electronic Documents Act, as well as the Privacy Act. If an organization doesn’t comply with these acts - even if it’s not intentional - how severe may the penalties be?
MS: The way it works under PIPEDA is that if an organization fails to comply with PIPEDA’s requirements, it can become subject to a complaint either by an individual filing a written complaint with the Privacy Commissioner, or the Commissioner may also initiate a complaint if there are reasonable grounds to investigate a matter. While a Commissioner’s findings after investigating a complaint are not binding on an organization, a complainant may apply for a hearing to the Federal Court of Canada if the Privacy Commissioner’s report had not addressed your concerns.
The Federal Court can in turn order:
· That an organization correct its practices to comply with PIPEDA;
· That an organization publish a notice of any action taken or proposed to correct its practices; or
· An award of damages to the Complainant, including damages for any humiliation suffered.
There are also statutory fines that an organization can be charged with, such as obstructing the Commissioner in the investigation of a complainant. These statutory offences can carry hefty fines. In more serious cases, fines can be up to $100,000. Not to mention, these fines/convictions can be devastating to an organization’s reputation, finances and existence.
Under the Privacy Act, an individual may also submit a complaint to the Privacy Commissioner who may conduct an investigation if there are reasonable grounds to do so. Following the Privacy Commissioner’s report, an individual may apply to the Court, which can in turn impose various penalties such as ordering that an organization correct its information management practices. Damages can also be awarded.
Workshop: Handling Personal Information
Date: Monday, February 27 from 1pm-4pm
Location: St. John’s City Hall, Foran-Greene Room
Price: Free for Business & Arts NL members/$30 General public
Become a member here.
Advance registration is required.
Click here to register.
For more on Megan and Melissa's workshop, click here.
Note: This session is preceded by Major Gifts, Making the Ask, and Donor Stewardship, from 9am to 12pm in the same location, with Jennifer O’Neill, Associate Director, Development at Memorial University. Jennifer’s workshop is $20 for Business & Arts NL members, and $30 for the general public and advance registration is required. For more information on this session, click here.