[IPAC-List] Privacy, the impact of the Patriot Act, and employee information

[Mark Hammer]

Had an interesting conversation with a privacy consultant yesterday, who was hired to assess our readiness for an audit by the Canadian federal privacy commissioner with respect to our compliance with the Privacy Act.  

We acquire a lot of data on federal employees via operational data and assorted survey initiatives.  While certainly no one here would ever dream of using the various demographic variables to drill down and identify individuals, nevertheless we collect such info for the purposes of being able to say things like "minorities have such and such a promotion rate", or "older employees perceive the fairness of competitions in such and such a manner, relative to younger employees".

What captured my attention was when I mentioned that we were considering temporarily going with an outside survey firm for our next survey activities, while we upgraded our servers, and explored newer software.  The consultant mentioned that many public opinion firms, even though ostensibly "Canadian", would typically make use of servers on the US side of the border.  Once *that* happens, the data on those servers become accessible to Homeland Security and cognate agencies under the Patriot Act.  Once THAT happens, our presumably benign-yet-"confidential" activities contravene the Privacy Act on this side of the border.  In effect, seemingly the only way for us to use such vendors is if we collect absolutely no information that could conceivably be used in some configuration to identify people; essentially sourceless opinions.  A colleague in I.T. has expressed doubts about the consultant's assertions regarding the feasibility of using a vendor since, in his view, the commercial opportunities for a vendor who can assure that all data remains in Canada on Canadian servers are substantial.  I.E., if there is money to be made, somebody is probably doing it.

I raise this topic not to get political, but rather just to inquire about the practical implications, and ask a few questions:

1) What the relationship is between employee, and especially e-recruitment databases, and those in the security community who would/could make use of them under the PA.  Do folks in HR get asked for this stuff at all?  Does it happen without their knowledge?  Are they allowed to say whether it does or doesn't happen?

2) Do applicants or employees express concerns about use of their "personal data" under the PA?  Are some identifiable types of employees or applicants more likely to express such concerns, and what sorts of  concerns do they express?

3) What steps organizations have taken (if possible) to placate the more anxious/suspicious out there regarding any personal data they might submit on-line as a component of seeking or having employment.

I can't emphasize enough, I am not trying to stir anything up here.  Merely trying to understand how people who deal in employee data do their job these days, under legislation that both emphasizes, or compromises the confidentiality of personal information that an employer might collect, and what practical issues have cropped up that weren't there before.  I know that this recent conversation has certainly put a crimp in OUR plans here, and we don't even live in the USA.


On a more general note, what kinds of normal processes/practices do people engage in when dealing with potentially sensitive information volunteered by applicants or survey respondents?  I've found myself in a pickle because some folks responding to ostensibly "anonymous" surveys about staffing practices start naming names as part of their comments in an open-ended question at the end.  We try to keep the comments in a separate file so that they can't be linked back to anything in the rest of their survey data that could identify them, but their comments kind of blow their cover when they start talking about manager X in department Y.  The consultant has advised us to adopt a protocol whereby such data is simply scratched within a fixed number of days after receipt, whether we use it or not.  Of course, if you've ever worked with qualitative data from large-scale surveys, you'll recognize right away that processing such data is highly unlikely to be an efficient and automatic process, increasing the likelihood that we collect stuff and are forced to dump it before anyone has had a chance to even look at it, let alone code it and write it up.

I'm an honest conscientious guy who tries to treat what people tell us with respect, and takes privacy seriously.  I worry about things like sharing datafiles with another directorate reporting to the same VP in our organization, simply because I don't know if they're going to hire a summer student to work with the data. Still, the broader implications of this whole privacy thing has blind-sided me.  So, anything you might have to add on the topic of privacy...feel free to make public!

Mark Hammer
Ottawa