Archive

Archive for July, 2015

A Slippery Slope – Global Background Screening and Data Privacy


Slippery-Slope

A colleague in Europe recently asked why some U.S., in-country local, regional, and even global employee screening firms purport to offer or present services for some products like criminal and credit reports that are either illegal to access or not permissible for employment purposes in a number of countries?

The answer, unfortunately can be rather complex and sometimes conflicting with what may be permissible in the U.S. as compared to a given geography. The challenge is that there are very few specific laws governing background screening in many countries around the globe today. Legal opinions vary depending on how familiar counsel may be on the topic and their interpretation of current legislation within local and international employment and privacy contexts. It may be further complicated by whether an applicant or employee is an expatriate (i.e. is a person temporarily or permanently residing in a country other than that of their citizenship.). There are however various pieces of legislation as it relates to the background check process. These areas may include, but are not limited to personal privacy, human rights, employment legislation, regulations governing access to criminal and credit data, consumer reporting, and rehabilitation of ex-offenders, sex, family, religion, discrimination, and disabilities to name just a few.

The reality is that the business practice and the industry at the global level as compared to the US and UK market is still very much at an emerging stage. Even with advances in high-technology that occur at lightning fast speed laws and regulations governing technology and background screening develop at what seems like a snail’s pace. This is highlighted by the on-going legal issues related to social media sites like Facebook, Google, and the online taxi service Uber and Lyft. These advances quickly outdated many slowly developing legal doctrines around the globe.

Companies operating in the Global Background Screening space today often struggle to strike a balance between finding a source of information that’s cost effective for a client’s request versus performing adequate due diligence of local environments before offering service. To further compound the situation, employers and buyers of these services are seeking to streamline global recruitment and procurement processes and save money by automating and centralizing the human resource function, while at the same time looking to the background screening provider for best practice advice as it relates to local background screening practices.

The first step to working through any of these issues is to understand the questions that must be asked whether as a screening provider or a multinational or global employer and then to develop a method of examining the issues we’ve discussed to find solutions that are practical for each particular organization. There is no “right” answer or “no magic bullet” to global background screening and data privacy / security compliance. Each organization must find a solution that works within its culture, technology, and business and then based on the resources as well as the level of risk the organization is willing to accept.

As providers of global background screening services we have a duty and an obligation that if we are to offer such services for any number of geographies that we undertake the necessary due diligence in finding out the right answers to all of these questions versus telling a client what we think they want to hear. Be certain that screening providers demonstrate much more than just a passing knowledge of local legal and cultural environments related to background screening.

Copyright © 2015 Aletheia Consulting Group

Aletheia Consulting Group provides expert cost effective global advisory solutions for multinational organization human resource, compliance, privacy, and security risk management resource needs. Our primary focus is on companies that have overseas operations that seek to navigate the sometimes challenging sea of international risk management involving the people, processes, technology and organization. If you’d like to learn more about our Services for Multinational Employers please feel free to contact us at Terry.Corley@me.com.

Categories: Uncategorized

Drug Screening across Europe


EUDrug and alcohol abuse is a global problem, so it’s natural for U.S. and global companies expanding their workforce program internationally to include screening as part of their hiring process. However, those looking to implement drug and alcohol screening in Europe need to be very mindful of local laws and customs. What is possible in the U.S. may run afoul of privacy laws in Europe, where the rights and protections for employees (and potential employees) are more guarded.

In Europe, local laws vary widely a great deal. It’s really only in Finland (2003), Ireland (2005) and Norway (2005) that clear legislation exists regarding drug testing in the workplace. Elsewhere, much of the legal framework, where it exists at all comes from interpretations of a combination of various national laws, including those on Labor Codes, privacy, data protection, and health and safety at work.

All members of the European Union do abide by The European Convention of Human Rights as well as EU directives on data protection and health and safety at work. Therefore, there is some degree of harmonization on basic principles. There is often a clearly qualified level of risk/response, though qualified in various different ways: many countries state that testing can take place when there is a health, safety, or security risk, or when it is “necessary,” “proportionate,” “justified,” or “reasonable,” or when there is suspicion of drug abuse. In Europe, the emphasis is generally placed on health aspects, rather than the possible illegality of drug use: in many countries, occupational doctors can only inform the employer whether an employee is “fit for work,” rather than revealing the full results of the test.

Obtaining the consent of employees to be screened via their employment contract is useful in some countries like the U.K. However, Belgium and Finland believe that fundamental rights such as the right to privacy are indivisible and therefore an individual cannot consent to waive such rights.

Countries also vary considerably in their emphasis on testing before or during employment. Pre-employment testing for screening purposes is actually illegal in the Netherlands; however testing is permitted for job applicants in some countries in certain situations.

At the end of the day, close consultation with local counsel as well as background screening experts familiar with the local environment is highly recommended as organizations look to incorporate drug screening into their global background screening programs.

Copyright © 2015 Aletheia Consulting Group

Aletheia Consulting Group provides expert cost-effective global advisory solutions for multinational organization human resource, compliance, privacy, and security risk management resource needs. Our primary focus is on companies that have overseas operations that seek to navigate the sometimes challenging sea of international risk management involving the people, processes, technology and organization. If you’d like to learn more about our Services for Multinational Employers please feel free to contact us at Terry.Corley@me.com.

Categories: Uncategorized

Fraudulent Matric Certificates on the rise in South Africa


CVBackground screening company, EMPS says that the highest cases of fraudulent CV’s is related to matric certificates, followed by trade certificates.

It said that 2015 is proving to be a record year for credentials cheats, with criminal record checks for prospective employees now topping 12%.

The announcement by rail agency Prasa that it had suspended chief engineer Daniel Mtimkulu over what it said was the fact that “he lacked the necessary qualifications” and that he would be subjected to a disciplinary hearing once again showed how widespread the problem of degree fraud was in South Africa, it said.

Claiming a Ph.D. degree from a German university that proved to be false as well as a claim that he had started his studies at Wits at the age of 17 which also turned out to be untrue, Mtimkulu’s fall from grace showed just how important it was for employers to do a thorough qualifications check before they employed staff.

Kirsten Halcrow, MD at EMPS, said 7.62% of all qualifications verified by her company so far this year turned out to be “problematic”.

This compared with a 6.8% average for last year.

In a statement, Prasa confirmed that a full-blown investigation was underway to check Mtimkulu’s qualifications. Mtimkulu has since been suspended.

Last week, Netwerk24 reported that Mtimkulu was not officially registered with the profession’s statutory body.

In 2006, the Engineering Council of South Africa (Ecsa) rejected Daniel Mtimkulu’s application to register with it, according to the report.

Prasa has faced questions over the purchase of new diesel locomotives from Spain, and over a R51 billion tender for the purchase of 600 trains for its fleet renewal programme.

The agency had reportedly ignored warnings from engineers that the 13 Afro 4000 locomotives, imported from Spain for R600 million, were too high for local railways and could damage overhead cables.

EMPS said it uncovered the highest level of international qualification fraud ever last year.

“By far the most fraud was committed with matric certificates while trade certificates came in second with fraud levels rising from 5% the previous year to close on 7% this year.”

Halcrow said 7.6% of tertiary qualifications submitted to her company for verification in the first half of 2015 were unverifiable.

She said so-called degree mills continued to pose a problem as many employers took their fake certificates at face value.

A degree mill is an unaccredited higher education institution that offers illegitimate academic degrees and diplomas for a fee.

“Technically they have made great strides in producing degrees and diplomas that look almost exactly like the real thing,” she said.

Halcrow said that a person with a fake qualification can ruin a company. “Apart from being unable to do the job they were hired for, they could also do severe damage to the reputation of a company.”

EMPS pointed to other recent notable instances of degree fraud including former SABC chairwoman Ellen Tshabalala, who was discovered to have lied about having a BCom from Unisa.

The Former ambassador to Japan, Mohau Pheko was also found to have lied about her PhD, EMPS said.

Source: BusinessTech: http://businesstech.co.za/

Categories: Uncategorized

New Luxembourg bill on data retention – Criminal Data


Luxembourg

Luxembourg

On January 7, 2015, the Luxembourg Ministry of Justice filed with the Chamber of Deputies bill n° 6763 (the Bill) modifying Article 67-1 of the Luxembourg Criminal Procedure Code (the Criminal Code) and Articles 5, 5-1 and 9 of the Act of May 30, 2005 laying down specific provisions for the protection of persons with regard to the processing of personal data in the electronic communications sector, as amended from time to time (the 2005 Privacy Act).

By so doing, the Luxembourg government aims to comply with the Court of Justice of the European Union (the ECJ) ruling of April 8, 2014, the so-called “Digital Rights”, in joint cases C-293/12 – Digital Rights Ireland and C-594/12 – Seitlinger and Others, whereby the ECJ has declared the Data Retention Directive 2006/24/EC to be invalid.

The Bill focuses on traffic data (Article 5 of the 2005 Privacy Act) and location data other than traffic data (Article 9 of the 2005 Privacy Act).

Firstly the Bill intends to amend the current access by the judicial authorities to retained data for the purposes of the investigation, detection and prosecution of criminal offences subject to a criminal or correctional penalty of at least one year of imprisonment. Now Articles 5 (1) (a) and 9 (1) (a) will refer to Article 67 -1 (4) of the Criminal Code where an exhaustive list of offences has been inserted.

Furthermore, the Bill proposes to amend Articles 5 (1) (b) and 9 (1) (b) by stating that service providers and operators must delete irrevocably and without any delay the retained data at the end of the 6 months retention period. Service providers and operators cannot keep anonymous data at the end of the retention data anymore.

The Bill also amends Articles 5 (6)- and 9 (6) of the 2005 Privacy Act by modifying the penalties to be imposed in case of breach of Article 5 (1) to 5 (5) and Article 9 (1) to 9 (5) o the 2005 Privacy Act. The penalty incurred will be now a sentence of six months to two years of imprisonment and/or a fine of between EUR 251 and EUR 125 000.

Finally, the Bill will oblige service providers and operators, through the amended Article 5-1, to store data on the territory of the European Union.

Source: StibbeJohanne Mersch

Categories: Uncategorized

China proposes draft privacy legislation with significant potential implications


ChinaOn July 6, 2015, China’s legislature, the National People’s Congress (NPC), circulated for comment two pieces of draft legislation with significant potential implications for data privacy and data security in China. The key provisions of these two draft laws are summarized below.

DRAFT CYBER SECURITY LAW

Coming closely on the heels of the July 1, 2015 promulgation of a new national security law, the draft Cyber Security Law (网络安全法) has as its stated goal the protection of “cyber sovereignty” and the preservation of cyber security. It includes provisions governing data localization, protection of personal information and other data, and network security.

  • Definition of personal information. Many Chinese regulations that include provisions governing the protection of personal information are unclear on the scope of the term “personal information”. The draft law includes a relatively detailed definition of “citizens’ personal information”, meaning personal information such as a citizen’s name, birth date, ID number, biometric data, profession, residence, or telephone number, recorded electronically or through another method, as well as other kinds of information that, alone or combined with other information, may be used to determine a citizen’s identity.
  • Data localization. Article 31 of the draft law would require an operator of “key information infrastructure” to store personal information and other “significant data” collected and produced in the course of its business operations inside China. It would also require that, before any of that data can be shared with parties overseas or stored overseas, the Chinese company complete a security evaluation in order to evaluate the security risk associated with the data export. The term “key information infrastructure” refers to, among other things, public communications infrastructure and information systems used by public utilities, government at the municipal or higher level; the military, or used in transportation systems, health care, or the financial sector. Notably the term also includes networks and systems owned or managed by network services providers that provide services to “large groups of users”, potentially giving the data localization requirements of the draft law a very broad application. Frustratingly, the term “significant data” is not defined in the draft law. We anticipate the intention is to reinforce exisiting restrictions on the export of state secrets, as well as address other information whose export may have an impact on national security, but further guidance will be needed on this issue, as well as on the nature of the security evaluation required in connection with data exports.
  • Data protection. Chapter 4 of the draft law includes broad provisions governing the protection of network data, including personal information. The term “network data” refers to all kinds of electronic data collected, stored, transmitted, processed, and produced through networks. The personal information protection provisions take a similar approach to personal information protection in sector-specific data privacy rules already in place with respect to the telecommunications sector. The provisions apply to all “network operators”. “Network operator” and the term “network” are both defined broadly so that the obligations apply to the owner of any computer information network, as well as to any party who administers a computer information network or provides services over it. As such, the data protection provisions of the draft law apply broadly to a very wide range of parties who either own or use a computer information network (and effectively to all personal information in electronic form), and not only within the limited sectors covered by current rules. The principal requirements include the following:
    • Collection and use of personal information must comply with the principles of legality, legitimacy, and necessity.
    • The purpose, method, and scope of the collection and use of personal information must be expressly disclosed, and the collection and use of personal information must be based on the individual’s consent.
    • Network operators may collect and use personal information only in connection with their provision of services and should not collect or use personal information outside the scope agreed by the individual.
    • Network operators should disclose to individuals their policies for the collection and use of personal information.
    • Individuals can demand that personal information collected unlawfully be deleted, and they have the right to demand correction of personal information that is inaccurate.
    • No entity or individual may steal or acquire personal information by other unlawful means, or sell or unlawfully provide personal information to others; language that corresponds to language in the Ninth Amendment to the Criminal Law is also discussed in this update.
  • Security certification/inspection. Article 19 of the draft law would require that key network equipment and special- purpose network security products comply with applicable security standards and be subject to a security certification or security inspection before being sold in the market. The security certification/inspection requirement builds on a similar requirement contemplated in regard to equipment used in the telecommunications and Internet sectors in the Guiding Opinions on Strengthening Network Security in the Telecommunications and Internet Sectors. Article 19 makes clear that its implementation is subject to the issuance of a catalogue of key network equipment and special-purpose network security products by the “State network information department”, a reference to the Cyber Administration of China (CAC).
  • National security review. Article 30 of the draft law contemplates a vague national security review requirement, requiring the operator of “key information infrastructure” procuring network products or services to undergo a security review process led by the CAC if the procurement “might have an effect on national security”. This brief provision does not provide further details but states that the implementing measures for this process will be issued by the State Council. This requirement echoes the announcement made by the State Internet Information Office on May 22, 2014, which stated for the first time that all important technology products and services affecting national security or the public interest will be subject to a “cyber security” review. This provision of the draft law would establish the formal statutory basis for implementing such a national security review process for the procurement of IT equipment and services for important IT infrastructure.

It is difficult to predict how long it will take for the NPC’s legislation process to be completed after the period for comments closes on August 5, 2015. The draft law is still subject to two readings before the full NPC or its Standing Committee, and we anticipate that a significant amount of debate within government circles has yet to take place on various aspects of the draft law before the law is formally promulgated. Some commentators are predicting that the draft law will be promulgated before the end of 2015.

In the meantime, various other regulatory efforts continue as part of the Chinese government’s campaign to enhance network security, many of which are likely to have an adverse impact on market access by foreign IT companies.

DRAFT AMENDMENT TO CRIMINAL LAW

As we reported previously, the NPC’s circulation for public comment Amendment 9 to the Criminal Law of the People’s Republic of China (Draft) (中华人民共和国刑法修正案(九)(草案)), which contemplated a significant broadening of the scope of criminal liability under Article 253 of the Criminal Law for misuse of personal information.

The NPC has circulated a second draft of Amendment 9 (刑法修正案(九)(草案二次审议稿), which while reworking the drafting of the data privacy provisions of the first draft, preserves the scope of criminal liability contemplated in the first draft while increasing related penalties. Now any breach of Article 253 is subject to a prison term of up to three years, with a longer prison term of between three and seven years if the circumstances are especially serious. Under the previous draft, the maximum penalty was three years (two for the new offense of unlawfully “selling or providing personal information to another party” introduced in the first draft).

It is likewise difficult to predict how long it will take for the NPC to complete its legislation process in respect of the Criminal Law amendment completed after the period for comments closes on August 5, 2015. The draft is still subject to one reading before the full NPC or its Standing Committee.

Source: Morrison & Foerster LLPPaul D. McKenzie and Wei Zhang

Electronic Signatures in Global Human Resources


ElectronicSignaturePart 1 – A cautionary tale for obtaining electronic signed consent from applicants

Human Resources has historically faced the challenges posed by having to manage a multitude of hard-copy HR documents containing employee signatures and internal sign-offs – consider job applications, offer letters, I9 verifications, background check notice and consent forms, employment agreements as well as restrictive covenants and non-disclosure agreements to name a few. Even just fifteen years ago the vast majority of the background screening industry relied on faxed based consumer authorization forms from clients prior to initiating a background check on U.S. candidates.

Today, with advances in technology, domestic and global organizations look to automate as much of the manual paperwork generated and maintained by HR, which can be challenging to say the least especially when multi and transnational companies are involved. More and more organizations small medium and large have or are in the process of transitioning to more electronic recordkeeping as well as computer generated HR documents that are maintained on intranet servers or in the cloud – much of that bearing manual employee signatures – is in decline. Manual documentation is becoming redundant as HR embraces various types of HRIS, ATS and On-Demand Background Screening systems as well as hundreds of other paperless HR solutions. Not to mention of course, the drive to “going green” or a “paperless office” is considered much more environmentally friendly.

All of this of course means, many new-hires today have less and less need for pen to paper during the recruitment, selection, and possible onboarding process and with even less “wet signatures” to manual documentation. It’s much simpler to have an applicant tic a box or scribble their name on a tablet within an online application with electronic forms and to endorse agreements via email.

A Cautionary TaleAdvances in high-technology occur at lightning fast speed but laws and regulations governing technology develop at what seems like a snail’s pace. This is highlighted by the on-going legal issues related to social media sites like Facebook, Google, and the online taxi service Uber and Lyft. These advances have quickly outdated many slowly developing legal doctrines around the globe. As globalization, conservation and technology minimize HR documentation to include wet signatures from the human resource process point of view, well-established philosophy of law around the globe remain firmly embedded in “old-school” document execution and authentication procedures – wet-signatures, originals, notarizations, counter signatory witnesses and in some cases stamps and seals.

The challenge is that in many countries around the globe, legal doctrines preceding the Internet remain firmly embedded when deciding questions pertaining to admissibility and enforceability of electronic signatures, acknowledgements, assents, and verifications. Most legal issues around document enforceability in the “paperless office” involve signed paperwork—duly distributed electronic business records that do not bear any signatures can always simply be printed out.

Consider the following fictitious scenario, in any number of countries, a Human Resource professional sacks two employees for violating the company’s code of conduct. Both employees deny ever having read or even seen the code, and their disputes end up in a labor tribunal or court proceeding. Employee #1, had allegedly signed a hard-copy of the code of conduct acknowledgement in wet ink agreeing to abide by the code, which the employer duly filed away in the employees personnel file. Employee #2, who was hired later on, allegedly must have at some point clicked “I agree” to an electronic code of conduct acknowledgement – the company’s IT department vehemently insists that all employees who were on boarded well before employee #2’s hire date have had to click past a code of conduct acknowledgement page to sign onto the company intranet system. A legal opinion from in country general counsel isn’t needed to understand why this employer is going to have a far weaker case with employee #2 to his code of conduct acknowledgement as compared to employee #1.

Stay tuned to Part II to Electronic Signatures in Global Human Resources, as we discuss some of the major pieces of national and international legislation on this topic around the globe, the differences between Formal “Advanced” Employee Electronic Signatures versus Electronic Assents, Acknowledgements and HR records and finally possible solutions for minimizing the risks associated with electronic consent technology.

Copyright © 2015 Aletheia Consulting Group

Aletheia Consulting Group provides expert cost-effective global advisory solutions for multinational organization human resource, compliance, privacy, and security risk management resource needs. Our primary focus is on companies that have overseas operations that seek to navigate the sometimes challenging sea of international risk management involving the people, processes, technology and organization. If you’d like to learn more about our Services for Multinational Employers please feel free to contact us at Terry.Corley@me.com.

Privacy Policies not up to pare with Australia’s Privacy Requirements


Privacy_handAustralia’s Information Commission released the results of its assessment of the online privacy policies of 20 Australian and multi-national organizations many of which covered companies within a multitude of industries such as finance, government, retail and many other sectors. The goal was to assess privacy policies of companies either phyiscally located and or that collect, process, and export data from Australia against the new requirements of the Australian Privacy Principle 1 (APP 1) which requires organizations and agencies to have a privacy policy that is clearly expressed and up-to-date.

The Australian Privacy Commissioner, Timothy Pilgrim, said that all of the organizations and agencies assessed had privacy policies that were easy to locate but for some there was still room for improvement —55% of the policies did not meet one or more of the basic content requirements under APP 1.

‘Under Australian privacy laws, privacy policies need to include certain information so that people can be informed about how their personal information will be handled if they choose to deal with a particular organisation,’ Mr Pilgrim said.

‘The key to a good privacy policy is to make the information easy to read and accessible and we certainly saw some great examples of creative ways in which this type of information can be presented. However some policies are still too long making it difficult to locate relevant information’.

While all policies adequately described the kinds of personal information they collect and how it is collected, some did not outline how personal information could be accessed and corrected; how a privacy complaint could be made, how personal information would be protected, and whether the personal information was likely to be sent overseas.

This is keenly important for those HR departments that routinely recruit from places like Australia. Candidates need to be presented with clear easy to understand privacy policies if it’s anticipated that their information may be collected and processed during the recruitment and selection process.

Categories: Uncategorized Tags:
%d bloggers like this: