The Information Commissioner’s Office has issued its first, significant monetary penalty following a serious data protection breach by an NHS body
The Information Commissioner’s Office (“ICO”) has taken action following an administrative error by Welsh health board, Aneurin Bevan Health Board (“ABHB”), which led to a serious breach of the Data Protection Act 1998 (“DPA”).
As the ICO gets used to using its new powers to issue substantial fines, all organizations which handle personal data need to ensure they are complying with their obligations under the DPA and have the necessary measures in place to avoid serious breaches occurring.
Section 55 of the DPA came into force on 6 April 2010 and allows the ICO, where there has been a serious contravention of the Act, to serve a monetary penalty notice on data controllers. The maximum penalty that can be imposed is £500,000.
What did they do wrong?
The error, which occurred in March 2011, meant that a highly sensitive report containing details of a patient’s health was sent to a former patient who had a similar name. A letter which had been drafted by a consultant and emailed to his secretary for formatting failed to identify accurately the patient to whom it should have been sent. The draft letter misspelt the name of the patient and did not contain sufficient additional details to identify the patient concerned. Furthermore, the letter was not checked prior to it being sent.
The investigation carried out by the ICO into the incident concluded that ABHB did not have in place sufficient checks to prevent personal data being sent to the wrong person and that the members of staff involved had not received any DPA training. An exacerbating factor was that the inadequate procedures followed in this instance were replicated across ABHB.
What was the penalty?
As a result of this incident ABHB has become the first NHS organization to be fined by the ICO.
The ICO has not only issued a fine of £70,000 to ABHB (which will be reduced to £56,000 if early payment is received) but also required it to sign an undertaking with a view to ensuring that all personal data it holds is processed in accordance with the DPA.
Following its investigation into this matter; the ICO had particular concerns about ABHB’s internal practices and the undertaking also includes measures to deal with these, including implementing:
- new checks across the organization to ensure that a patients’ identities are established before any documentation containing personal data is issued;
- the provision of training for staff;
- putting in place and maintaining appropriate IT and other security measures; and
- regular monitoring of compliance with the DPA.
This decision comes shortly after the ICO indicated that it would be focusing on, amongst others, the health sector in respect of responses to subject access requests. It has highlighted that notice should be taken of this decision by those operating within the health sector and stated that it is vital that the health service ensures that it has appropriate DPA compliance procedures in place.
The Information Rights Strategy that was published by the ICO at the end of 2011 made clear that it would be taking a robust approach to DPA compliance over the coming year. This decision, reflects that approach and should be seriously considered by those organizations and employers operating within the health sector.
Future enforcement action by the ICO is likely to be significant, particularly in view of the European Commission’s proposals for reforming the approach to data protection across the European Economic Area.
Tips for organizations
- Ensure that all your employees are trained on handling personal data particularly those who process it on a day to day basis.
- Consider carrying out a data protection audit to establish the level of compliance with the DPA within your organization and, if necessary, to decide how this can be improved.
- Ensure that you actively promote, implement and monitor compliance – it is not enough to have written policies in place if they are not enforced.
A BEERG-HR Policy Association policy paper describes how a proposed new regulation in the European Union replacing the myriad national laws governing individual data protection with a single set of EU-wide rules would have significant consequences for employment data. Most significantly, a violation of the regulation could subject a company to a fine of up to two percent of its annual global revenues. The policy paper, prepared by international law specialist, Malcolm Mason, describes several areas where the proposed regulation would impact the collection of HR data, including:
- A requirement of a “valid consent” by an employee before her/his data can be processed, and such consent may not be made a condition of employment;
- Stricter controls on transfers of personal data from within the EU to countries outside the EU;
- A “right to be forgotten” requiring data controllers to delete personal data relating to a data subject where the individual withdraws consent, objects to that controller’s processing of their information, or where their personal data is no longer needed; and
- A requirement to appoint a “data protection officer” for a two-year term with enhanced job protections.
While the proposed regulation is mainly targeted at social media and Internet trading, it fails to recognize that the nature of the relationship between an employer and an employee is fundamentally different from that between a user and Twitter or Facebook. As the proposal moves forward, our European ally BEERG will be making the case that employment data should be treated differently from social media data or client/consumer data and subjected to a separate set of rules.
The implementation of a project funded by the EU and meant to improve the protection of personal data in Serbia officially started last Wednesday.
The implementation of a project funded by the EU and meant to improve the protection of personal data in Serbia officially started on Wednesday.
The project began with a meeting between Rodoljub Sabic, Serbian commissioner for information of public importance and protection of personal data, and Slovenian commissioner for information Natasa Pirc Musar.
Sabic said the project would take six months to complete and would include numerous important activities, “starting with an evaluation of how harmonized our regulations are with the EU standards on the protection personal information.”
He added the project would include “strengthening the institution of the commissioner by educating and training personnel to monitor and improve data protection in accordance with those standards,” Sabic’s office stated.
He said he was pleased to work with Slovenian colleagues, because the team led by Pic Musar had gained recognition “not only in Slovenia, but in the EU also, as a team of excellent experts.”
The protection of identity data in Serbia is still in its first stage, even with the efforts invested by the commissioner and some initial results in the field, he noted.
According to Sabic, it is an issue of extreme significance in terms of respecting constitutionally guaranteed human rights, and it is also an issue “that will be one of the first the EU will inquire about once the start date for the negotiations is set.”
Source: As reported by Ekonom:east Media Group
The recently unveiled European Union (EU) data protection proposals call for hefty fines, new rules for reporting data breaches, large companies to appoint a data protection officer and several other regulations. Although the legislation has yet to be put into effect, many European enterprises are already planning ahead, making changes to their IT security strategies and policies.
The data protection proposal would enable the EU to fine companies in violation of the laws up to 2 percent of their global annual turnover. Combined with the increasing prevalence of cyberattacks and data breaches, the threat of severe financial punishment has prompted many businesses among EU member states to make continuous compliance an organizational priority.
According to a recent study by Tufin Technologies, 42 percent of network security managers believe the EU proposal has led to heightened risk awareness in their organization. Additionally, 34 percent of respondents said their attitude toward continuous compliance has changed due to the data protection legislation, and 54 percent said automating compliance audits would help reduce the risk of violating the regulations, potentially saving the company from being fined.
“While 29 percent of respondents have partially automated compliance audits, those processes that are not automated run the risk falling out of compliance the moment after the auditor signs off on the audit,” said Shaul Efraim, vice president of marketing and business development for Tufin.
The report said respondents provided vastly different answers regarding best practices in reducing the risk of noncompliance. According to Tufin, some IT security professionals said a strict regulatory compliance strategy that includes a comprehensive data security awareness program would help organizations meet EU compliance standards.
While the proposed legislation may cause headaches for enterprise compliance officers and other IT professionals, the EU and Justice Commissioner Viviane Reding are confident the laws will facilitate stronger data protection standards for government organizations, businesses and consumers.
“Seventeen years ago less than 1 percent of Europeans used the internet,” Reding said. “Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds. The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data.”
Reding said the presented changes to the existing policy will save businesses around €2.3 billion per year by providing them with a single set of rules and one data protection authority to report to, reducing costs related to paperwork and other compliance expenses. Meanwhile, enterprises will be required to notify authorities about data breaches as quickly as possible – within 24 hours if feasible. Also, companies with more than 250 employees will have to appoint an independent data protection officer.
With the new regulations requiring organizations to quickly report data breaches, and large fines for companies that fail to do so, it’s essential for IT decision-makers to consider implementing security solutions capable of detecting and eliminating advanced threats before a major breach occurs. Some IT security providers offer integrated, state-of-the-art systems that can analyze security events in real time, giving enterprises the ability reduce costs, efficiently detect threats and decrease risk. These advanced solutions can also help organizations meet regulatory compliance standards by encrypting critical data, controlling access and constantly monitoring company networks, systems and endpoints.
The importance of data protection legislation, organizational policies and awareness is at an all-time high, as cyberattacks are more sophisticated and widespread adoption of mobile devices has opened the door for new threats. According to a recent global survey, 86 percent of IT professionals believe their job would be at risk if a data breach occurred, revealing yet another reason enterprises must develop better security and data protection plans.
Security News from SimplySecurity.com by Trend Micro
After reports last July that the Data Protection Bill had been withdrawn from Ghana’s Parliament for adjustments, the bill was re-introduced and Parliament has passed the bill on February 10. The Act, said to be awaiting presidential assent to be fully operational, is modeled upon European precedents and will set out the rights and responsibilities of data controllers, data processors and data subjects in relation to personal data, under the supervisory authority of a Data Protection Commission. Ghana swore in a new President, John Atta Mills, a 64-year-old law professor, on January 8.
The following article by Matthew Howse, Partner, and Celia Kendrick, Associate, at Morgan Lewis should serve as a great primer for US as well as other multinational organizations that deal with human resource data of EU citizens. The EU’s proposed new revisions to data privacy could have broad ramifications for the unwary.
Outsourcing arrangements often require the transfer of employees’ personal data from the customer to the supplier or vice versa. For example, an outsourcing of payroll functions will involve the transfer of employee data.
Particular issues arise if the data is to be transferred outside of the EU. In addition, notwithstanding that most data protection legislation within the EU derives from the EU Data Protection Directive, there are important differences between countries on how personal data can be processed. The UK rules are currently contained in the Data Protection Act 1998.
In January 2012, the European Commission published its proposal for a new General Data Protection Regulation. The extensive proposals would overhaul this area of law and significantly increase data protection across Europe.
The key proposals are:
• Harmonization: A single set of rules will apply across Europe.
• Scope extends beyond Europe: The new rules will apply to EU businesses and businesses based outside the EU that process European citizens’ personal data for the sale of goods or services or the monitoring of behavior.
• Fines: Penalties for non-compliance will be significant, with businesses facing proposed fines of up to €1 million or up to 2% of their annual worldwide turnover (depending on whether the organization is an ‘enterprise’).
• Explicit consent: The new definition of “consent” will include a requirement that individuals’ consent must be explicitly obtained; it cannot be assumed.
• Notification requirements: Organizations will be required to notify their supervisory authority of a security breach without undue delay, meaning within 24 hours if that is feasible. If not, the notification must be accompanied by a reasoned justification.
• Right to be forgotten: Individuals will be able to ask to be forgotten and have their data deleted unless there is a legitimate ground for keeping it.
• Data protection officers: Organizations with over 250 employees will be required to have a designated data protection officer who will have specific duties in relation to monitoring and advising the organization.
These changes are probably long overdue – the current law was drafted when recent technological advances could not have been contemplated. However, preparing for the changes and ensuring compliance will place a large administrative and financial burden on businesses with a European presence, including businesses involved in outsourcing.
The next step is for the proposed Regulation to be considered by the European Parliament and Council. It is expected there will be widespread debate on the proposals, and that the Regulation will be amended. Once the Regulation is approved, it is likely to be a further two years before it comes into force.
If the current drafting of the Regulation is approved, there will be a significant change in data protection obligations for both customers and suppliers. Under the current law, only data controllers – organizations that control the purposes and manner for which personal data is processed – are subject to the obligations and restrictions on personal data. Most suppliers are data processors as they process personal data on behalf of the customer (the data controllers). However, the proposal is to impose restrictions and obligations directly on data processors (i.e. suppliers) for the first time.
Currently, it is important for all parties to establish who the data controller is and for the data controller to impose contractual obligations on the other party to ensure compliance with data protection legislation. It is also key to ensure that, if personal data will be moved outside of the EU, this is done in compliance with the strict restrictions on exporting data. Arguably, by extending the scope of data protection legislation to cover data processors and organizations based outside the EU which process EU citizens’ data, these considerations will become less significant for EU-based data controllers (i.e. customers). However, the effect on data processors and international organizations will be much more significant. The more stringent rules will place a tougher administrative burden on suppliers, which could lead to an increase in the overall cost of outsourcing.
Organizations that are about to enter into new outsourcing arrangements should be aware that their data protection obligations may change during the course of the arrangements. Contractual provisions should be drafted accordingly, for example to make data protection provisions subject to amendment to comply with legislative changes.
The key message for customers and suppliers is: watch this space. It will be some time before the measures are implemented, but the scope and effect of data protection legislation is likely to change significantly.
As published by © 2012 sourcingfocus.com
The Data Protection Commissioner of the Dubai International Financial Centre Authority (DIFCA) launched – on 15 December 2011 – Consultation Paper No 3 sought public comment on DIFCA’s proposals to amend the Data Protection Law, DIFC Law No 1 of 2007 and the Data Protection Regulations. The consultation closed on 14 January 2012.
It is expected the amended Law will come into effect by June or July of 2012, The newly amended Law embodies international best practice standards, and it is consistent with EU Directives and OECD guidelines, and is designed to balance the legitimate needs of businesses and organizations to process personal data while upholding individuals’ rights to privacy. It should be noted that the Law and the newly amended Law apply only to individuals and organizations established in the Dubai International Financial Centre (DIFC)’.
The proposed amendments will require a data controller to notify the Commissioner of any changes to the particulars of a licensee as soon as possible and in any event within a period of 14 days from the date upon which the entry becomes inaccurate or incomplete. A maximum fine of US$ 25,000 could also be introduced for failing to register with the Commissioner’s Office.
The proposed amendments will also grant powers to the Commissioner to delegate functions and powers to the officers and employees of the DIFCA and powers to the DIFCA Board of Directors to pass regulations exempting certain data controllers.
It is believed that the changes are not so significant on their face, but the combination of amendments to make the rules more practical and more specific enforcement powers suggest some examples may be made of non-compliant DIFCA licensees to encourage better compliance.
Source: As published by DataGuidance http://www.dataguidance.com/.
The Ministry of Information, Communications and Culture (MICC) in Malaysia has set up a Data Protection Department to oversee the implementation of the Malaysian Personal Data Protection Act (PDPA) of 2010.
The PDPA – which is expected to come into force early this year – will introduce seven data protection principles – including the notice and choice principle, the disclosure principle and the data integrity principle – all aimed at protecting individuals’ personal data from misuse.
‘There is a question as to whether the Department’s role is merely temporary in ensuring the smooth transitional arrangement towards a more appropriate establishment i.e., the Data Protection Commissioner’ and it is believed that at this juncture, MICC has not officially issued a statement in relation to the enforcement date.
Nonetheless, if the latter takes place, Malaysian stakeholders and any legal entities which have a presence in Malaysia will have three months to comply with the PDPA. Bearing in mind that even if the Commissioner has been appointed, the nature of independence is arguably questionable as he or she reports directly to the Minister of MICC, instead of having the level or degree of independence to enforce the PDPA obligations. My advice to businesses is to start strategising and executing.
The PDPA would apply to data users established in Malaysia, or who use equipment based in Malaysia to process personal data. The amount of the fines and the length of imprisonment would depend on the type of violation, with maximum fines set at 500,000 Malaysian Ringgit (approx. $160,000 USD).
Source: As published by DataGuidance http://www.dataguidance.com/.
With increasing connectivity, there is an advent of a truly global workforce, multinational operations has led to an exponential increase in the risks associated with candidate recruiting and contract and or contingent workforce.
Human capital is increasingly being acknowledged as the most important investment for any company. Finding the right talent in the right job at the right time is an enormous challenge that global HR teams are facing in today’s current hiring scenario.
In all of this, in the more recent times, individuals from corporations involved in various crimes as well as increased legal scrutiny related to anti corruption has led to increased realization about the value for background screening all employees, contractors, and vendors at all levels.
Reported incidences of corruption, doing business with vendors listed on sanction and debarred parties lists in the petroleum sector, unauthorized access to sensitive customer information in financial services sector, instances of staff in educational institutions involved in exploitation cases — all have led to growing awareness of the need for background screening of employees as well as vendor / contract staff.
The reality is that an organization’s reputation is at stake should they hire someone or do business with an entity that has a questionable background. Brand equity and value can be adversely impacted if it is known that an organization didn’t exercise a reasonable level of due diligence before recruiting a certain individual or decided to do business with a trading partner who had a questionable background. Thus, lack of background screening or even not performing best practice type checks depending on the circumstance on current or potential employees and or trading partners is something that could come back to haunt any organization — through reduced business, inability to retain better employees and adverse impact on its public image.
If that wasn’t enough, not only can it be rather embarrassing for an organization that does not excise due care in vetting their employees, contract staff or trading partners such organizations can also be exposed to enforcement action by government authorities for not conducting what may be considered a reasonable level of due diligence or have not applied “due care” as may be required by new and existing anti-corruption laws such as the U.S. Foreign Corrupt Practices Act (FCPA), Sarbanes Oxley, Patriot Act, and US.for Organizations (FSGO) and many other similar industry and or country specific laws like the UK’s Bribery Act.
The FSGO requires organizational implementation of compliance standards and procedures that are “reasonably capable” of reducing the prospect of criminal conduct by employees, contractors, and business partners. In fact, according to FSGO, due care must be made in avoiding passing on to individuals whom an organization knew, or should have known, had a propensity to engage in illegal activities.
What is considered adequate due diligence or due care according to many of the above mentioned legal provisions is beyond the scope of this article and will be discussed in a later article.
Global Background Screening Industry Overview
Although there has always been some demand for background checks abroad, the initial driving force for international or global background screening was first introduced about ten years ago. This was triggered by the post 9/11 attacks. With a number of Fortune 1000 companies going global — either through setting up their own offices or outsourced work abroad, it was expected that their overseas based entities (mainly IT and BPO companies) followed processes that were an integral part to their recruitment policies. (Incidentally, recent studies show more than 90 per cent of Fortune 500 companies have a formal policy of background screening their employees). This led to background screening of their employees as well as their outsourced counterparts.
The concept of global background screening is no longer limited to just IT or the financial services segments. A growing number of organizations in the manufacturing, maritime, defense, pharmaceutical, petroleum, hospitality, health care, retail, travel, telecom, educational institutions and entertainment industries are adopting international background screening practices.
Today’s multinational companies (MNC) face a growing challenge in managing the collection, use, processing and transfer of mass amounts of personally identifiable information globally, especially in light of the myriad of data protection (privacy) laws that exist today. Effective management of global talent management, data privacy, and security involves a multi-disciplinary approach involving legislation, technology, and business processes in order to fully understand and address data protection and personal privacy issues on a global basis. It also requires recognition that effective management is a process that must include solutions for responding to constant changes in both internal and external factors effecting human resource data use especially when it involves screening candidates around the world.
The actual overseas background screening process involves carrying out various different types of checks based on a number of factors such as type of hire (entry, mid, professional, executive), regulated position, level of risk the individual position poses to the organization, and finally, the country at hand to name a few. Any misrepresentation in the below listed checks should be reported as a discrepancy. The discrepancy rate is the percentage of misrepresentations/fraudulent/adverse information that a comprehensive background screening procedure should uncover during the verification process.
- Identity check – confirms candidate is who they say they are
- Right to work check – confirms candidate is authorized to work in a given country
- Address verification – confirms candidate’s current residency
- Education – confirms academic credentials
- Employment – confirms claimed work history
- Reference check – confirms professional reputation
- Professional credential verification – confirms professional certifications
- Criminal records history – determine if candidate has a propensity to engage in illegal activities
- Regulatory and Compliance / Sanctions Search – determine if candidate has been sanctioned by relevant regulatory authorities, has been the subject of other enforcement actions, or identified as a possible politically exposed person
- Adverse media – news articles that contain derogatory information the candidate
- Conflict of interest – evaluate if candidate may be involved in multiple interests
- Drug Testing – determination if candidate has a propensity to abuse illicit drugs
- Trading Partner / Vendor Screening – determine if vendor is legitimate and of good standing
It is critically important that ALL checks are initiated only after an authorization in writing by the concerned candidate is obtained.
A “credible” international background screening company will ensure that the process goes only through the legal / legitimate route of obtaining records or verifications. This may imply relatively later verification compared to some agencies who provide “quick,” “easy,” “cheap” criminal record results from every country on the planet but through processes which may not be able to stand the scrutiny of law! This was most recently highlighted in a case involving a company who purported to provide court record checks from a country where it is well know that court records are not the best practice source for employment purposes. The end result was a series of missed criminal records that should have been reported, the loss of a screening company’s entire clientele, and finally an ongoing litigation involving suspected fraud and misrepresentation.
While more and more screening companies offer international or global service, the best way of managing background checks at least internationally is to ensure that international background checks are done by organizations that actually specialize in this area. This assumes the provider is able to demonstrate they have more than just a passing knowledge of available products. In fact specialized providers should be able to demonstrate a thorough understanding of the local data sources, a clear understanding of the specific geographic and search requirements, the legal environment (laws related to data/record access rights, personal privacy, relevant employment and human rights laws), and who are able to offer specific answers to questions related to best practice screening in the given country. A specialized global background screening organization would not ordinarily compromise its reputation by not following local compliance requirements.
Data shows that individuals with a questionable background tend to join organizations that do not conduct background screening of its employees or contract/vendor staff.
Hence, when these organizations do start conducting background screening, they find many discrepancies (number of employees who have misrepresented facts on their resumes or have a criminal background) and/or go through huge attrition (as employees who have misrepresented facts or have negative background prefer to leave than be found out) when they announce background screening.
This is validation of how background screening becomes a deterrent against employees or prospective employees or even vendors misrepresenting facts on their resumes or employment applications. Thus, background screening proves to be a good insurance against risk to reputation related to bad hires as well as trading partners!
The international or global background screening industry is still in its emerging phase. There are many organizations/institutions overseas who, as a policy, do not share information with third parties for verification purposes. For some organizations and institutions which do not mind sharing information, it can be a longer process as databases are manually maintained and verification process involves going through very old data maintained physically.
Employment checks that can be conducted at the click of a button in the US have to be conducted through phone calls, faxes, or emails or site visits in India.
Moreover, many organizations abroad do not maintain databases or records for temporary employees, which lead to unavailability of such crucial information.
Criminal background information that is available through various online databases and court records in the US are not comparable with what is available in other geographies. In many countries, such information needs to be sought at the central repository level and even locally in the concerned jurisdictions.
Collaborative online database solutions involving all parties concerned — the candidate, the recruiter, the verifier, the verifying authorities, etc. — will help in developing a ‘pre-qualified and pre-checked’ ready-to-hire talent pool — which is the need of the hour in the present economic scenario.
Aletheia Consulting Group provides multinational companies best in class International Background Check Provider Vendor Evaluation and Audits. If you would like to learn more about our Services for Multinational Employers please feel free to contact us at terry.corley@AletheiaConsultingGroup.co.
The responsibilities and obligations of employers under European Data Protection Directives and the UK Data Protection Act. Terry Corley, Aletheia Consulting Group, reviews the issues that a Director of Human Resources for a multinational organization can expect to face in the Global marketplace.
Susan Lane is a newly appointed Staffing Director at a large professional services firm, Abacus Accounting, Inc (ABACUS) based in the United States. ABACUS also maintains offices in over 50 countries, including Asia, Europe and Latin America. Today, the majority of all HR-related activities are maintained by ABACUS’s corporate headquarters in the US.
In addition to requiring her to assume her daily human resources responsibilities, the Vice President of Human Resources tasked Ann to determine if ABACUS is compliant with data privacy (data protection) requirements in relation to how they handle employee data abroad. There was concern in Management that they might be at risk of liability for non-compliance. They were also conscious that the company had not given sufficient consideration to many of the emerging international data privacy issues in the past and that a number of its normal processes and policies may have to change as a result. The Vice President therefore asked Ann to report to the Board with her recommendations.
ABACUS recruits new candidate
As ABACUS’s Finance Director for European operations, based in London, recently accepted a position with another firm, Ann’s first major task was to oversee the recruitment of a replacement. At the same time, management took the view that it could also improve the level of customer service for select Asia Pacific locations it provides and thus asked Human Resources to recruit three new client services representatives for their Singapore and India offices.
To find a new Finance Director, Ann decided to use the services of an executive search firm as well as the staffing firm normally used by ABACUS to fill vacancies. She then further instructs both agencies to locate qualified candidates from the countries for which the positions will be filled.
US executive search firms recruiting from abroad
The very nature of the efforts of an executive search firm, head-hunter or staffing firm means that personal information is inevitably collected without an individual’s knowledge or consent, at least during the initial stages of recruitment. It may, however, be a little challenging when a US-based employer plans to employ local nationals in a foreign country when the employer may not be familiar with the differences in employment and privacy legislation prevalent in a given country. Fortunately, this is currently of little concern for Ann, at least until the recruiter provides her with the names of candidates that meet ABACUS’s initial recruitment requirements.
Complying with local data processing guidelines
It is at this point that lane would normally begin processing personal information about a US-based candidate. However, after talking with corporate counsel and the company’s Chief Privacy Officer, she learns that based on the UK’s Employment Practices Data Protection Code it is better if she is provided with applicant information in a manner that doesn’t constitute the processing of ‘data’. She will otherwise be obligated to notify the candidate that she is processing their personal data ‘as soon as practicable’ after receiving information from the search firm.
Company adequacy determination
Transferring personal data back to the US at this point would also require ABACUS to determine if the company meets adequacy protection requirements as dictated by the European Union Data Protection Directive (95/46/EC). These laws limit the transfer of human resource data from the EU to third countries, such as the US, unless the third country or entity is found to provide an adequate level of protection. Accordingly, any employer such as ABACUS processing applicant data in the EU must first revise its HR data practices to the Directive and member state laws while the data is still in the EU.
These laws impose substantial requirements on the collection, transfer, processing and use of virtually all employee data. Member states such as the United Kingdom have further enacted laws such the UK Data Protection Act 1998 to implement the Directive that also apply to employee and consumer personal information.
In the short term, Ann determined that until ABACUS is capable of meeting adequacy requirements, she should not request personal information to be sent to her from the UK electronically back in the US. This thereby reduces the risk of it constituting ‘personal data’, although it is unlikely that a paper-based record of an executive recruiter’s notes would be caught by the Directives or the DPA due to the restrictive definition of ‘relevant filing system’. If the suggested names are not considered suitable then Ann will immediately destroy the information.
Legal basis for transfers
When transferring employee data from the EU to third countries such as the US, companies such as ABACUS are required to identify and implement a legal basis for such transfers. Employers operating in the EU that collect or process personal information in the EU without adhering to member state laws or that transfer personal information from the EU to a country without adequate protection or a relevant exception may incur substantial legal liability.
A growing challenge
Organizations are facing a growing challenge in managing the collection, use, processing and transfer of mass amounts of HR personal information, especially in light of the myriad of international personal privacy laws that exist today as well as emerging technologies designed to manage HR data in a global environment.
Effective management of overseas data privacy, HR policies related to international applicants, and security involves a multi-disciplinary approach involving policy development, legislation, technology and business processes in order to fully understand data protection and privacy issues. It also requires recognition that effective HR data management is a process that must include a comprehensive Human Resource, Data Privacy Management Plan for responding to constant changes in both internal and external factors effecting global employee data use in multinational organizations.