Cambridge Analytica has been all over the news for the past couple of weeks. The consulting firm allegedly used the personal information of 50 million Facebook users, without their permission, for political purposes. What does this issue mean to Canadian employers?

According to news reports, an app developer requested and gained access to information from Facebook users after they chose to download his app. According to Facebook, approximately 270,000 people downloaded the app in question. In so doing, they supposedly gave their consent for the app developer to access information such as the city they set on their Facebook profile, or content they had liked, as well as more limited information about friends who had their privacy settings set to allow such access.

The app developer then passed on this information to other parties, including Cambridge Analytica, in violation of Facebook's policies. Facebook said that when it learned of this violation, it demanded certification that the data had been destroyed. It claims to have received this certification but news reports say that the data was not actually deleted and was, in fact, used to influence the U.S. presidential election.

The matter exploded. Various regulators launched investigations, including the Office of the Privacy Commissioner of Canada, the Office of the Information and Privacy Commissioner of British Columbia, and the U.K. Information Commissioner (Elizabeth Denham, who was previously the Privacy Commissioner of British Columbia). Reports indicate that Mark Zuckerberg will be speaking to U.S. Congress.

Various media reports have referred to this situation as a "data breach", a claim denied by Facebook. However, if the reports are accurate, personal information was used and disclosed in a way not originally foreseeable or understood by Facebook app users.

Why does this matter to employers?

What does any of this this mean for the average employer in Canada? Although there are differences in the applicable federal and provincial public and private-sector privacy laws many (if not most) of them require employers to give employees adequate notice of how and why their personal information is being collected, used, and disclosed. In addition, the purposes for which that information is collected, used, and disclosed are generally required to be reasonable.

Those principles may conflict with the technological capabilities of various HR tools on the market. An array of available tools promise more effective management of the modern workplace. However, it is possible that employee personal information may be collected, used, or disclosed in ways that are not anticipated or fully understood when a particular tool is implemented in the workplace, leading to unintended privacy-related consequences.

Lessons for Employers

  • Employers should be asking questions of their service providers to ensure that they fully understand how much information is being collected and the implications of use and disclosure.
  • Employers should consider whether the amount of information they are collecting and the way that it is used and disclosed is reasonable.
  • Employers should put tightly-worded agreements in place with service providers to protect employee personal information (but also to protect themselves).
  • Where notice to employees is required, it should be clear and sufficiently detailed to ensure that employees understand how their personal information is being managed.
  • Employers should always consider the requirements of the applicable privacy legislation. Where there are no specific legislative requirements relating to the collection, use or disclosure of employee personal information, employers may still wish to consider the possible reputational impact arising from information-handling.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.