Ever since I
have been working with HRIS in the context of global companies, I’ve been
collecting notes on how the HR data, sensitive and private as it is, can be
protected. I’ve decided to publish this blog, but here goes the DISCLAIMER: these notes are of a
general nature, and share my personal ramblings and thoughts on the matter. It
should not be construed as an attempt to offer or render legal opinion or
engage in the practice of law. Please consult the advice of a licensed
professional if you require it.
What is
what?
One of the modern-age most compelling frauds includes
one form or another of identity theft (identity cloning, financial ID theft,
medical ID theft); we have seen first-hand phishing attempts received by mail
and e-mail, and are careful in shredding personal documents rather than just
throwing them on the recycling pile. As HR professionals, working with HR
information, we are aware of the sensitivity of the data entrusted upon us by
our company; and as employees, we expect that our information will be
appropriately protected and remain private.
Governments have produced laws and guidelines, and since
1981, groups of countries have entered agreements to decide how data (and in
particular, HR data) can be shared across borders.
Image from HERE
Plenty of information is available, often fairly
indigestible and written in “legalese”. Several terms appear to be used in
alternance, are they really synonyms? Not quite.
·
Data integrity
addresses the concern that data should be correct and complete for the use we
want to make. As a simple example, if the address held about your employee is
not updated, correspondence will fail to reach him/her, and consequently data
is trash.
·
Data security is
focused in keeping information safe, seeking protection from access by
unauthorized entities. The idea is to avoid hacking and intruders; both to
prevent theft of ideas or valuable information and to protect the integrity of
the data (as above) against corruption (either accidental or willful). To date, it relies as much on technical hacking prevention and on the strength of individual passwords... and that is a weak link, see below.
·
Data privacy is
often confused with data security, but actually starts from data security, spanning a wider area. Its concern
is to ensure legal compliance with the multiple international regulations
controlling and protecting the individuals’ rights to keep their data safe and
private; it isn’t merely protecting against external intrusions, but
supervising the way HR data is shared internationally, where it is stored, how
it is accessed. It means providing adherence to data privacy guidelines and
regulations, all around the world where your organization is active.
As an individual, my concern is to keep my data
secure – I make sure my passwords are up to the task (by the way, here is a great post on password security), that my firewall protects
my home computers, that my antivirus is up to date. As a corporation, or as an
individual representing a corporation, I must gain an understanding of what my
responsibility entails and i must extend my concern to data privacy.
The recent NSA scandal has made painfully obvious how
unaware we are of who is looking at the information we share willingly; in NSA case we
are only talking about metadata, but the fact remain that the same can be done
with other data types and/or systems.
Is this also true if working for a company is based
and/or incorporated in the US? Yes, of course! Living in a more and more global
world, our companies are involved in the global market and our employees are
global citizens. Information is
easier to access from anywhere, and can be moved across borders without the
data owner even realizing it, nor knowing who is accessing it. If your company
has operations in more than one country, you are immediately concerned by Data
Privacy International regulations. You need to keep an eye out to know what are
the requirements, how can you ensure compliance, and how it evolves.
Laws
Lets start with the European Data Protection
Regulation (EDPR), released on the 25 Jan 2012. The EDPR regulates the
processing and movement of personal data within, to and from the European
Union. Still, keep in mind that EDPR only sets the standard accepted by all 27
member states, while single states often require additional local compliance obligations.
I’d like to go through the meaning of this regulation
in steps.
·
Personal data or
“Personally Identifiable Information” (PII) is defined as all information
relating to an identified or identifiable natural person. Any information
that distinguishes two individuals can be used for identification – so it isn’t
just about names and date of birth, social security and credit cards, but is a
much more extensive set of data that in combination can allow identification.
·
EDPR defines the conditions to move personal data out of the European Economic Area (EEA:
EU plus Iceland, Lichtenstein and Norway), and is pretty restrictive. In
fact, all movements are prohibited UNLESS conditions are met.
·
When we talk
about moving data out of the EEA, it doesn’t apply only to European companies’
data; all personal data pertaining to employees of European subsidiaries
from corporations headquartered in other geographies must also comply. This has
an immediate impact on a company designing global HRIS.
·
Personal data
movement is permitted to a set of countries that the European Commission has
recognized as offering adequate protection for the data: Andorra, Argentina,
Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand,
Switzerland and Uruguay. It is important to note that the US are not
included in this list.
·
US and EU
companies requiring to share data across the borders can adopt a Safe Harbor
process to streamline the compliance. Safe Harbor is undersigned by a specific
company and must be re-certified on a yearly basis. It is based on the
following 7 principles:
o Notice – right of being informed: employees must know what data is
collected and stored by the company, and made aware of how it is used and
disclosed.
o Choice – In case information is to be shared onward to third parties, it must be
clearly explained to the employee and an opt-out option is to be made
available.
o Onward Transfer – In addition with Notice and Choice, transfers
of data to third parties may only occur to other organizations follows Safe
Harbor.
o Security - Reasonable efforts must be made to prevent disclosure,
loss or alteration of collected information.
o Data Integrity - Data must be relevant and reliable for the
purpose it was collected for.
o Access – Reasonable access to the stored information is to be
provided, both to the EU subsidiary and to the individual. The means of such
access aren’t specified (paper vs. Self-Service, for instance).
o Enforcement – Commitment to cooperate with authorities to
ensure investigation and resolution of complaints.
For more information on the 7 principles
and on how Safe Harbor applies to HR, export.gov has a good FAQ.
·
The Safe Harbor sign-off is the solution in case
of EU to US (and back) data transfers; so in these terms it is NOT SUFFICIENT
to allow global companies to consolidate data globally.
·
In the case of a multinational corporation, the
geographical extension require the adoption of Binding Corporate Rules,
covering the steps taken to ensure compliance with “adequate protection”. To
put it simply, a BCR document is an internal, company-wide privacy policy, drafted
to meet specific business needs relative to the operation of the company.
Drafted by the corporation, it is subject to approval by authority; not all EU
countries require such an approval, but many do. (ex. GE approach here or
BP here)
All these points remain valid whatever the
chosen delivery model is. The difference is how they are applied in the
multiple situations – On Premise vs. ERP, single vs. multi-tenancy.
Please share your notes and comments on the subject, and thank you in advance for pointing out missed or incorrect details!
If you find my post interesting, you may also enjoy my recent "The International POV on Data Privacy"
If you find my post interesting, you may also enjoy my recent "The International POV on Data Privacy"
No comments:
Post a Comment