The recent terrorist acts in the United States will forever change our North American views on safety and security. One issue currently under debate is the public mood to trade of some civil liberties and privacy rights for increased security. Where the dust will settle on that issue is anyone’s guess.
Not all initiatives need result in eroded privacy. For example, many individuals might take advantage of an enhanced identity card (similar to the existing one) to facilitate faster clearance at the border. The privacy trade-off might involve fingerprinting and a rigorous background check.
Other people, including law-abiding citizens with nothing to hide, might not consider the trade-off acceptable for a minor gain in convenience. Privacy is about individual choices. And if there is no compelling public interest, these programs should not be mandatory.
While thinking about these issues, I recalled a discussion that I had with an information technology manager last year. He asked for my opinion on security checks for his staff. With ever increasing reliance on information technology, recent events reinforce the view that an IT outage strikes at the heart of corporate and national interests.
In this particular instance, I advised the manager that, in my view, the privacy laws would not present a barrier to this activity if he could reasonably demonstrate that the information was a necessary to screen job applicants, and provided he consider a number of factors before embarking on the initiative. But he might face an uphill battle with his human resources department who would be concerned about a complaint under the human rights code.
For an organization to conduct criminal background checks, the screening criteria must be a bona fide job requirement. For example, a clean driving record without a conviction for driving under the influence might be a bona fide job requirement for a driver position, and a variety of criminal record types keep people from assuming positions involved with supervision of children.
Interestingly, where an organization conducts background checks in contravention of the human rights code, the activity would then contravene the privacy legislation because the argument that the information is necessary for a legitimate business activity would not apply.
The relationship between the privacy laws and other legislation is sometimes intimate, and since fines under the federal private sector privacy legislation are significant, caution must be exercised.
What type of background checks would be reasonable for IT practitioners? There is no definitive answer to that question – it depends entirely upon the nature of the position and the risks. Background checks are fairly common in the justice and enforcement communities, especially for those positions managing intelligence and law enforcement systems.
The important point is that the job requirements and risks must be analyzed for each group of similar positions in the IT department. You will need to involve your human resources staff in the analysis as well as legal and union representatives. You may also want to involve a privacy or ethics specialist in the discussion. And you will need to identify the criteria against which the staff will be assessed.
You will also need to assess background checks in the context of the overall security plan. If background checks are employed in isolation, without activities to mitigate risks in other ways, then the justification for the background check might be viewed as contrived.
I’m not an advocate of indiscriminate surveillance and background checks, but I do recognize that they are necessary in certain circumstances, and they can be done in an unobtrusive manner.
In the aftermath of the terrorist attacks, there will be a greater impulse to know your employees. Managers will need to tread this road carefully.
Boufford, I.S.P., is president of e-Privacy Management Systems – a consulting firm specializing in privacy and information technology. He can be reached at [email protected]. His Web page can be viewed at www.e-Privacy.ca.