Home > Compliance, Data Protection Act, Global Screening, Personal Privacy, Regulations > International personal privacy compliance for global staffing directors

International personal privacy compliance for global staffing directors


The responsibilities and obligations of employers under European Data Protection Directives and the UK Data Protection Act. Terry Corley, Aletheia Consulting Group, reviews the issues that a Director of Human Resources for a multinational organization can expect to face in the Global marketplace.

Susan Lane is a newly appointed Staffing Director at a large professional services firm, Abacus Accounting, Inc (ABACUS) based in the United States. ABACUS also maintains offices in over 50 countries, including Asia, Europe and Latin America. Today, the majority of all HR-related activities are maintained by ABACUS’s corporate headquarters in the US.

In addition to requiring her to assume her daily human resources responsibilities, the Vice President of Human Resources tasked Ann to determine if ABACUS is compliant with data privacy (data protection) requirements in relation to how they handle employee data abroad. There was concern in Management that they might be at risk of liability for non-compliance. They were also conscious that the company had not given sufficient consideration to many of the emerging international data privacy issues in the past and that a number of its normal processes and policies may have to change as a result. The Vice President therefore asked Ann to report to the Board with her recommendations.

ABACUS recruits new candidate
As ABACUS’s Finance Director for European operations, based in London, recently accepted a position with another firm, Ann’s first major task was to oversee the recruitment of a replacement. At the same time, management took the view that it could also improve the level of customer service for select Asia Pacific locations it provides and thus asked Human Resources to recruit three new client services representatives for their Singapore and India offices.

To find a new Finance Director, Ann decided to use the services of an executive search firm as well as the staffing firm normally used by ABACUS to fill vacancies. She then further instructs both agencies to locate qualified candidates from the countries for which the positions will be filled.

US executive search firms recruiting from abroad
The very nature of the efforts of an executive search firm, head-hunter or staffing firm means that personal information is inevitably collected without an individual’s knowledge or consent, at least during the initial stages of recruitment. It may, however, be a little challenging when a US-based employer plans to employ local nationals in a foreign country when the employer may not be familiar with the differences in employment and privacy legislation prevalent in a given country. Fortunately, this is currently of little concern for Ann, at least until the recruiter provides her with the names of candidates that meet ABACUS’s initial recruitment requirements.

Complying with local data processing guidelines
It is at this point that lane would normally begin processing personal information about a US-based candidate. However, after talking with corporate counsel and the company’s Chief Privacy Officer, she learns that based on the UK’s Employment Practices Data Protection Code it is better if she is provided with applicant information in a manner that doesn’t constitute the processing of ‘data’. She will otherwise be obligated to notify the candidate that she is processing their personal data ‘as soon as practicable’ after receiving information from the search firm.

Company adequacy determination
Transferring personal data back to the US at this point would also require ABACUS to determine if the company meets adequacy protection requirements as dictated by the European Union Data Protection Directive (95/46/EC). These laws limit the transfer of human resource data from the EU to third countries, such as the US, unless the third country or entity is found to provide an adequate level of protection. Accordingly, any employer such as ABACUS processing applicant data in the EU must first revise its HR data practices to the Directive and member state laws while the data is still in the EU.

These laws impose substantial requirements on the collection, transfer, processing and use of virtually all employee data. Member states such as the United Kingdom have further enacted laws such the UK Data Protection Act 1998 to implement the Directive that also apply to employee and consumer personal information.

In the short term, Ann determined that until ABACUS is capable of meeting adequacy requirements, she should not request personal information to be sent to her from the UK electronically back in the US. This thereby reduces the risk of it constituting ‘personal data’, although it is unlikely that a paper-based record of an executive recruiter’s notes would be caught by the Directives or the DPA due to the restrictive definition of ‘relevant filing system’. If the suggested names are not considered suitable then Ann will immediately destroy the information.

Legal basis for transfers
When transferring employee data from the EU to third countries such as the US, companies such as ABACUS are required to identify and implement a legal basis for such transfers. Employers operating in the EU that collect or process personal information in the EU without adhering to member state laws or that transfer personal information from the EU to a country without adequate protection or a relevant exception may incur substantial legal liability.

A growing challenge
Organizations are facing a growing challenge in managing the collection, use, processing and transfer of mass amounts of HR personal information, especially in light of the myriad of international personal privacy laws that exist today as well as emerging technologies designed to manage HR data in a global environment.

Effective management of overseas data privacy, HR policies related to international applicants, and security involves a multi-disciplinary approach involving policy development, legislation, technology and business processes in order to fully understand data protection and privacy issues. It also requires recognition that effective HR data management is a process that must include a comprehensive Human Resource, Data Privacy Management Plan for responding to constant changes in both internal and external factors effecting global employee data use in multinational organizations.

Advertisements
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: