Data privacy in connection with HR – ramblings

***Note that the content below has already appeared in my personal blog; I am adding it here as I’ve often seen questions raised on the topic***

Ever since I have been working with HRIS in the context of global companies, I’ve been collecting notes on how the HR data, sensitive and private as it is, can be protected. I’ve decided to publish this blog, but here goes the DISCLAIMER: these notes are of an informative and general nature, and share my personal ramblings and thoughts on the matter. It should not be construed as an attempt to offer or render legal opinion or engage in the practice of law. Please consult the advice of a licensed professional experienced if you require it. 

What is what?

Data privacy in general is a question many IT professionals are wondering about, to the point that the 28th of January has been appointed “Data Privacy Day“. The day has been chosen to remember the signing of the EU agreements in …. ; the day is meant to raise awareness about data privacy rights, and is “celebrated” in the US, Canada and all the countries of the EU (27 at the time of writing).

One of the modern-age most compelling frauds includes one form or another of identity theft (identity cloning, financial ID theft, medical ID theft); most have seen first-hand phishing attempts received by mail and e-mail, and are careful in shredding personal documents rather than just throwing them on the recycling pile. As HR professionals, working with HR information, we are aware of the sensitivity of the data entrusted upon us by our company; and as employees, we expect that our information will be appropriately protected and remain private. 

Governments have produced laws and guidelines, and since 1981, groups of countries have entered agreements to decide how data (and in particular, HR data) can be shared across borders.

Plenty of information is available, often fairly indigestible and written in “legalese”. Several terms appear to be used in alternance, are they really synonyms? Not quite.

• Data integrity addresses the concern that data should be correct and complete for the use we want to make. As a simple example, if the address held about your employee is not updated, correspondence will fail to reach him/her, and consequently data is trash.
• Data security is focused in keeping information safe, seeking protection from access by unauthorized entities. The idea is to avoid hacking and intruders; both to prevent theft of ideas or valuable information and to protect the integrity of the data (as above) against corruption (either accidental or willful).
• Data privacy is often confused with data security, but actually spans a wider area. Its concern is to ensure legal compliance with the multiple international regulations controlling and protecting the individuals’ rights to keep their data safe and private; it isn’t merely protecting against external intrusions, but supervising the way HR data is shared internationally, where it is stored, how it is accessed. It means providing adherence to data privacy guidelines and regulations, all around the world where your organization is active.

As an individual, my concern is to keep my data secure – I make sure my passwords are up to the task (by the way, here is a great post on Password Security), that my firewall protects my home computers, that my antivirus is up to date. As a corporation, or as an individual representing a corporation, I must gain an understanding of what my responsibility entails and extend my concern to data privacy.

The recent NSA scandal has made painfully obvious how unaware we are of who is looking at the information we share; in NSA case we are only talking about metadata, but the fact remain that the same can be done with other data types and/or systems.

Is this also true if working for a company is based and/or incorporated in the US? Yes, of course! Living in a more and more global world, our companies are involved in the global market and our employees are global citizens.  Information is easier to access from anywhere, and can be moved across borders without the data owner even realizing it, nor knowing who is accessing it. If your company has operations in more than one country, you are immediately concerned by Data Privacy International regulations. You need to keep an eye out to know what are the requirements, how can you ensure compliance, and how it evolves.

Laws

Lets start with the European Data Protection Regulation (EDPR), released on the 25 Jan 2012. The EDPR regulates the processing and movement of personal data within, to and from the European Union. Still, keep in mind that EDPR only sets the standard accepted by all 27 member states, while single states often require additional local compliance obligations.

I’d like to go through the meaning of this regulation in steps.

• Personal data or “Personally Identifiable Information” (PII) is defined as all information relating to an identified or identifiable natural person. Any information that distinguishes two individuals can be used for identification – so it isn’t just about names and date of birth, social security and credit cards, but is a much more extensive set of data that in combination can provide identification.
• EDPR defines how it is acceptable to move personal data out of the European Economic Area (EEA: EU plus Iceland, Lichtenstein and Norway), and is pretty restrictive. In fact, all movements are prohibited UNLESS specific conditions are met.
• When we talk about moving data out of the EEA, it doesn’t apply only to European companies’ data, but all personal data referring to employees of European subsidiaries from corporations headquartered in other geographies must also comply. This has an immediate impact on a company designing global HRIS.
• Personal data movement is permitted to a set of countries that the European Commission has recognized as offering adequate protection for the data: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. It is important to note that the US are not included in this list.
• US and EU companies requiring to share data across the borders can adopt a Safe Harbor process to streamline the compliance. Safe Harbor is undersigned by a specific company and must be re-certified on a yearly basis. It is based on the following 7 principles:
  • Notice – right of being informed: employees must know what data is collected and stored by the company, and made aware of how it is used and disclosed.
  • Choice In case information is to be shared onward to third parties, it must be clearly explained to the employee and an opt-out option is to be made available.
  • Onward Transfer – In addition with Notice and Choice, transfers of data to third parties may only occur to other organizations follows Safe Harbor.
  • Security – Reasonable efforts must be made to prevent disclosure, loss or alteration of collected information.
  • Data Integrity – Data must be relevant and reliable for the purpose it was collected for.
  • Access – Reasonable access to the stored information is to be provided, both to the EU subsidiary and to the individual. The means of such access aren’t specified (paper vs. Self-Service, for instance).
  • Enforcement – Commitment to cooperate with authorities to ensure investigation and resolution of complaints.

For more information on the 7 principles and on how Safe Harbor applies to HR, export.gov has a good FAQ.

• The Safe Harbor sign-off is the solution in case of EU to US (and back) data transfers; so in these terms it is NOT SUFFICIENT to allow global companies to consolidate data globally.
• In the case of a multinational corporation, the geographical extension require the adoption of Binding Corporate Rules, covering the steps taken to ensure compliance with “adequate protection”. To put it simply, a BCR document is an internal, company-wide privacy policy, drafted to meet specific business needs relative to the operation of the company. Drafted by the corporation, it is subject to approval by authority; not all EU countries require such an approval, but many do. (ex. GE approach here or BP here).