Privacy Leader Series: Mark Sward

Last updated on January 8, 2023

When your business model is based on collecting and disclosing sensitive personal information — as is the case with pre-employment screening companies like SterlingBackcheck — you better ensure you have smart, capable, and qualified people leading your privacy and security efforts.

In this edition of the Privacy Leader Series we interview Mark Sward, the Director of Privacy with SterlingBackcheck, Canada’s leading pre-employment background screening firm and a leader in the industry worldwide.

Mark, it’s a pleasure to have you with us. How about you start us off by telling us about your role at SterlingBackcheck?

I would be glad to!

I was in a customer service and account management role at BackCheck for a number of years. In that time, I became very interested in the impact that background checks have on the people being checked.

Employers have a real need to know about the people they’re hiring, but what is the limit to how nosy they can be? And what happens to people who lose out on jobs because of inaccurate, outdated or irrelevant information that appears on a background check?

These questions led me to want to join BackCheck’s privacy team, the group that oversaw the development and enforcement of the company’s privacy policy, including interacting with background check applicants and ensuring they understood the process.

After BackCheck was acquired by Sterling and became SterlingBackcheck, the need arose for a new global privacy program.

I helped a colleague — who is now my boss — to make the case for a new structure, which included full-time role for me as Director of Privacy in Canada. In this role, I oversee the implementation and evolution of our corporate privacy program in Canada and support the program globally.

You sensed an opportunity and went after it. Congratulations Mark!

Tell us a bit more about the transition from BackCheck to SterlingBackcheck.

It has been fascinating to work with people all over the world who come from different backgrounds inside our organization.

SterlingBackcheck has grown through a number of acquisitions in the last few years (including BackCheck), which has led to challenges in aligning culture and processes around the world.

Trying to tackle these challenges has made me feel almost like an outside consultant — I may have no prior knowledge of any aspect of what someone is doing, even though we work for the same company; I have to work with them to understand what’s happening, identify any privacy concerns, and implement changes without having the in-depth knowledge I’m used to in a smaller organization where I’m familiar with all the moving parts.

What are some of the highlights of your role? What are some of the things you’d prefer not to do?

I enjoy talking to our clients about their screening programs, understanding their needs and concerns, and giving them feedback about how to approach background checks in a privacy-friendly way. In a way, it makes me feel like I’m making the job hunt a little fairer to people for whom it might sometimes be complex and difficult.

I’m not a lawyer and SterlingBackcheck isn’t a law firm, so we can’t tell clients what they should or shouldn’t do, but we can give best practice guidance about how to build their program in a way that respects applicants’ rights.

As for things I don’t like: I’m not a big fan of managing a large team of people. I love that I have a very small team working with me to provide a very specific type of support to the entire business.

What is the biggest challenge you face in your role?

The biggest challenge for me is trying to develop policy or process solutions that support both business efficiency and privacy.

I firmly believe there is always a solution, but it can be tricky to tease it out when you have an already complex business requirement that needs additional steps or safeguards to make it compliant with the corporate privacy policy and the law.

Part of your role surely includes sharing best practices with some of your clients. What are some of the most common best practices you share with employers using background checking services?

Definitely. Here are two of them:

• Don’t make a decision until you have all the information.
  If you receive information about a job applicant that appears to be negative, let her know.

  Ask her to clarify. Allow her to dispute its accuracy or completeness. Choosing not to hire or do business with someone because of an honest error in filling out a form, a period of unemployment that affected her creditworthiness, or an old criminal offence that is unrelated to the position, hurts both you and the applicant.

• Be transparent about the information you’re collecting and your reasons for collecting it.
  This seems like a given, but it amazes me how secretive some companies choose to be.

  Some employers in Canada are not subject to a privacy law (with regard to their employees’ information) and can legally collect information about an individual without notice or consent, but your employees expect more transparency than that. It’s only fair for them to know what information is influencing your decision.

And what do you think is the biggest challenge for businesses when it comes to becoming privacy compliant?

I think the biggest challenge is finding the middle ground between legal compliance and your customers’ expectations.

I don’t think it’s all that difficult to be compliant with the letter of PIPEDA and provincial privacy laws, but those laws are not well understood by the public and I think people have higher expectations for privacy than the law strictly requires.

Once you feel you’ve struck a balance in your privacy policy, you have to be prepared to defend it, not only to outsiders like customers or regulators, but also to internal stakeholders. Getting buy-in on a privacy policy from a large organization with many players – sometimes with seemingly contradictory interests – can be tricky.

Are there any trends that businesses should be aware about?

Canadian privacy laws are getting a bit outdated, and I think we can expect to see changes in the near future, such as more technical requirements and more regulatory “teeth” (read: fines).

I think many businesses have become comfortable with the status quo, knowing that a privacy policy that gives lip service to the law while not really having anything meaningful to back it up is not going to get them in too much trouble here.

It’s a whole lot easier to build a good, accountable program before the regulators come knocking with new rules and new fines, than to try to scramble to put something together when there are changes to the law.

I’m seeing more and more Canadian companies pick up on this and start to invest more in privacy, and I hope even more will follow suit.

Do you have any advice for people wanting to start a career in privacy compliance?

Start going to privacy conferences and making friends.

Privacy – especially in Canada – is not a very big world, and there aren’t that many privacy jobs available, so the more people you know the better.

If you already have a job and you see gaps in your organization’s privacy program (or a total lack of a privacy program), start making noise! If you can do it in a way that helps rather than hinders the business, and ideally doesn’t cost too much, you could build yourself a new position.

Any favourite blogs/resources/tools that you use?

I love the International Association of Privacy Professionals (IAPP) blogs and news digests.

Some of them are free, others require membership (I am a proud member, and I hold two IAPP certifications), but it’s worth signing up and subscribing so that you have an easy-to-digest summary of changes and news that matter to you.