Am I accountable for protecting Personally Identifiable Information?

Last week, one of our team pointed to a blog post about a ruling from the Public Service Labour Relations Board (PSLRB).   I really liked this very short synopsis of the ruling. The blogger highlighted the  lack of concern from the employer for the privacy of the employee when investigating the improper handling of corporate documents.  I think this is critical and we need to ensure we “create and administer a protocol that governs non-routine access to system information and non-routine system monitoring”.   However, of more interest to me, is the  heart of the ruling around the severity of an employee having ‘restricted’ corporate documents on a personal email account.  Dismissal is a significant outcome and I wonder how prevalent these activities are, and whether  people are really informed about the risks associated with some of their behaviours

In this particular case the employee had sent files to their personal email account that related to a job competition and contained personally identifiable information (PII).   The PSLRB upheld the decision to discharge this individual for a “serious breach of trust that caused the employer embarrassment”.

The first problem here has to do with the use of email to send documents with personally identifiable information.  It doesn’t matter if it was corporate email or personal email. Was the message encrypted? Was there an attached file, and was that encrypted?  Was the employee using the information on a personal device and was that password protected and encrypted?.  I think a lot of people are aware of and concerned about privacy, but do they have a good understanding of what their role is in protecting PII on a day to day basis?  I also wondered if the corporation had a clearly stated and operationalized policy about sending files with PII over email.

The second problem is the use of a personal account.  How many people use their personal Dropbox account or even personal email  accounts that have cloud storage attached to them to store corporate files.   In Higher Education I think this happens more often than we might like to admit.  These personal accounts tend to have very loose contractual  agreements in place.   It is normally not clear on who owns the information and what sort of accountability there is if the information is lost, stolen or breached.  When we undertook moving to a cloud email solution there was  extensive effort in developing a Privacy Risk Assessment, reviewing and rewriting contracts to ensure information was safe and that we had an avenue to litigate if there were any issues.

At the end of the day there has to be some onus on the part of the employee to understand the risks associated with their behaviours.  It is also fair to expect the employer to ensure the proper tools and policies are in place and understood. An interesting ruling that I think needs to be more socialized, to help raise awareness and accountability.