In the last decade, privacy concerns have increased dramatically on a global scale. This is mainly due to the capabilities of increasingly intrusive information and communication technologies (ICTs) and devices as well as the advent of social media. The line between what is private and what is public is now blurred. Consequently, the issue of privacy in the workplace has also been brought to the fore with many jurisdictions globally formulating policies, guidelines and codes of practice to address workplace risks to privacy.
Informational privacy, or what is referred to in some jurisdictions as data protection, essentially covers any set of policies and/or legislation that safeguards and controls the disclosure of personal information of living and identifiable individuals/citizens held by public and private entities.
Barbados has not yet implemented a national privacy regime or enacted data protection legislation. Data Protection has been in bill form since 2005 and has not been revisited. However, Barbadian businesses and organizations should begin to seriously consider their state of readiness with regard to how they deal with the privacy of staff and client/customer information. The idea of privacy management has not been fully explored by Barbadian businesses and organizations. Yet, privacy is considered a human right and the global expectation is that modern institutions/businesses should ensure compliance with internationally accepted standards on privacy.
There are some key aspects of privacy management that should be assessed and audited in any given organization. These include, but are not restricted to – [the secure management] of personal information captured in records, regardless of format, from their creation to final disposition; [the ways] employees [are monitored], particularly as it relates to capturing Closed Circuit Television (CCTV) footage, telephone usage and email/Internet [activity]; and [the] mechanisms used to gain informed consent from employees and customer/clients on the types of personal information captured and maintained on them individually.
Every business and organization has a right to capture information on its employees to carry out key functions such as human resource and finance management. However, employers should become conversant with ‘fair work’ principles on privacy in the workplace to ensure that they do not encroach on the human right to privacy.
Personal information has been defined as, ‘any information related to an identifiable, natural person’ and includes names, addresses, and other contact details as well as information on educational background, marital status, credit history, political affiliation, racial and ethnic origin, religious or other beliefs, membership with a trade union, physical or mental health or condition, sexual life and the commission or alleged commission of an offence. Personal information may be found in a wide range of record types created and maintained by organizations. The higher risk functional areas are in human resources management and finance departments which interact most frequently with personnel records containing high concentrations of sensitive personal information. It must be noted that some types of institutions possess [more] records with [more] personal information than others because of the nature of their business, such as healthcare facilities, insurance companies and educational institutions.
How then can Barbadian businesses and organizations prepare for the future enactment of the Data Protection Act (DPA)?
First and foremost, changes in practice must take place with the treatment of records containing personal information on customers/clients and staff in record-keeping systems. These records should be identified, documented and clearly marked as records containing personal data. The business/organization should formulate clearly written policies and procedures on how that information should be treated in both paper-based and electronic systems inclusive of security requirements with access controls for all who should interact with these records.
Core globally accepted privacy principles are that personal information should be collected fairly and lawfully; used only for the purpose specified during collection; adequate; relevant and not excessive to that purpose; accurate and up-to-date; accessible; kept securely and subject to disposal after the purpose is completed. These should be incorporated when writing privacy policies and procedures. Ultimately, businesses should conduct privacy assessment surveys and audits to ensure that privacy policies and procedures are carried out at all levels of the organization and to assess whether the records themselves conform to these requirements.
The convention on employee monitoring [ensures] there is agreement on both sides on how this is carried out in day-to-day operations. CCTV may be installed but only with consensus between senior management and staff on the placement of cameras. Privacy/data protection legislation does not usually permit the singling out of individuals on cameras without their consent, unless it is to avert imminent threats or criminal acts like damage to property with involvement from law enforcement officials. Surveillance records should be collected with careful adherence to existing legislation or globally accepted privacy standards. As it relates to organizational email, telephone usage and the use of the Internet, policies should be written that clearly outline how the organization deals with access to business and other email created and received by employees; whether telephone usage will be monitored and how the monitoring of employee Internet browsing will be addressed.
The best solution for privacy management in any workplace is to have mechanisms for informed consent of staff and customer/clients with a good communication strategy. Forms and other documentation which capture personal information should state what the information will be used for. There should be dialogue [among] employers, staff and customer/clients as to [the type of] personal information collected and how [it] is used. Employers should also take [the necessary steps] to safeguard records containing personal information [either in] physical or virtual storage, from unwarranted access. Staff should be well trained in the use of all record-keeping systems and know their limitations. Statistics in some jurisdictions have shown that breaches are mainly caused by human and technological error where personal data is accidentally published online or by malicious acts of staff searching personnel records or by hacking. Agencies must then secure physical and electronic records by instituting a sound security matrix. Audit trails, passwords and firewalls are particularly critical in electronic environments. Records with personal information should not be indiscriminately dumped but securely destroyed to prevent unauthorised access. Further, there should also be proper signage for use of CCTV and any other systems for monitoring employees/clients/customers in the workplace. Organisational email policies should be clearly written and communicated to ensure that business emails which may be monitored by the organization are properly segregated from personal email. It is also recommended that adequate policies be written to deal with the use of social media for business purposes.
It would serve Barbadian businesses and organisations well to establish privacy management before the Data Protection legislation takes effect. This legislation usually provides for breaches to be reported to a Data Protection or Information Commissioner and, in many jurisdictions, [breaches] have led to large fines and/or jail time. The global trend is to take all measures to ensure respect for the dignity and safety of individuals, both clients and staff, in order to preserve their ‘right to privacy’. Therefore, citizens and others within any society deserve to be afforded protection in the way that their personal information is handled and maintained by public and private entities.
(Cherri-Ann Beckles, PhD – Archivist/Records and Information Management Specialist)