Sunday, July 7, 2013

Did you know that the 28th of January is Data Privacy Day?*

Ever since I have been working with HRIS in the context of global companies, I’ve been collecting notes on how the HR data, sensitive and private as it is, can be protected. I’ve decided to publish this blog, but here goes the DISCLAIMER: these notes are of a general nature, and share my personal ramblings and thoughts on the matter. It should not be construed as an attempt to offer or render legal opinion or engage in the practice of law. Please consult the advice of a licensed professional if you require it. 

What is what?
One of the modern-age most compelling frauds includes one form or another of identity theft (identity cloning, financial ID theft, medical ID theft); we have seen first-hand phishing attempts received by mail and e-mail, and are careful in shredding personal documents rather than just throwing them on the recycling pile. As HR professionals, working with HR information, we are aware of the sensitivity of the data entrusted upon us by our company; and as employees, we expect that our information will be appropriately protected and remain private. 
Governments have produced laws and guidelines, and since 1981, groups of countries have entered agreements to decide how data (and in particular, HR data) can be shared across borders.

Image from HERE

Plenty of information is available, often fairly indigestible and written in “legalese”. Several terms appear to be used in alternance, are they really synonyms? Not quite.

·       Data integrity addresses the concern that data should be correct and complete for the use we want to make. As a simple example, if the address held about your employee is not updated, correspondence will fail to reach him/her, and consequently data is trash.
·       Data security is focused in keeping information safe, seeking protection from access by unauthorized entities. The idea is to avoid hacking and intruders; both to prevent theft of ideas or valuable information and to protect the integrity of the data (as above) against corruption (either accidental or willful). To date, it relies as much on technical hacking prevention and on the strength of individual passwords... and that is a weak link, see below.
·       Data privacy is often confused with data security, but actually starts from data security,  spanning a wider area. Its concern is to ensure legal compliance with the multiple international regulations controlling and protecting the individuals’ rights to keep their data safe and private; it isn’t merely protecting against external intrusions, but supervising the way HR data is shared internationally, where it is stored, how it is accessed. It means providing adherence to data privacy guidelines and regulations, all around the world where your organization is active.

As an individual, my concern is to keep my data secure – I make sure my passwords are up to the task (by the way, here is a great post on password security), that my firewall protects my home computers, that my antivirus is up to date. As a corporation, or as an individual representing a corporation, I must gain an understanding of what my responsibility entails and i must extend my concern to data privacy.

The recent NSA scandal has made painfully obvious how unaware we are of who is looking at the information we share willingly; in NSA case we are only talking about metadata, but the fact remain that the same can be done with other data types and/or systems.

Is this also true if working for a company is based and/or incorporated in the US? Yes, of course! Living in a more and more global world, our companies are involved in the global market and our employees are global citizens.  Information is easier to access from anywhere, and can be moved across borders without the data owner even realizing it, nor knowing who is accessing it. If your company has operations in more than one country, you are immediately concerned by Data Privacy International regulations. You need to keep an eye out to know what are the requirements, how can you ensure compliance, and how it evolves.

Lets start with the European Data Protection Regulation (EDPR), released on the 25 Jan 2012. The EDPR regulates the processing and movement of personal data within, to and from the European Union. Still, keep in mind that EDPR only sets the standard accepted by all 27 member states, while single states often require additional local compliance obligations.

I’d like to go through the meaning of this regulation in steps.

·       Personal data or “Personally Identifiable Information” (PII) is defined as all information relating to an identified or identifiable natural person. Any information that distinguishes two individuals can be used for identification – so it isn’t just about names and date of birth, social security and credit cards, but is a much more extensive set of data that in combination can allow identification.
·       EDPR defines the conditions to move personal data out of the European Economic Area (EEA: EU plus Iceland, Lichtenstein and Norway), and is pretty restrictive. In fact, all movements are prohibited UNLESS conditions are met.
·       When we talk about moving data out of the EEA, it doesn’t apply only to European companies’ data; all personal data pertaining to employees of European subsidiaries from corporations headquartered in other geographies must also comply. This has an immediate impact on a company designing global HRIS.
·       Personal data movement is permitted to a set of countries that the European Commission has recognized as offering adequate protection for the data: Andorra, Argentina, Canada, Faroe Islands, Guernsey, Isle of Man, Israel, Jersey, New Zealand, Switzerland and Uruguay. It is important to note that the US are not included in this list.
·       US and EU companies requiring to share data across the borders can adopt a Safe Harbor process to streamline the compliance. Safe Harbor is undersigned by a specific company and must be re-certified on a yearly basis. It is based on the following 7 principles:
o   Notice – right of being informed: employees must know what data is collected and stored by the company, and made aware of how it is used and disclosed.
o   Choice In case information is to be shared onward to third parties, it must be clearly explained to the employee and an opt-out option is to be made available.
o   Onward Transfer – In addition with Notice and Choice, transfers of data to third parties may only occur to other organizations follows Safe Harbor.
o   Security - Reasonable efforts must be made to prevent disclosure, loss or alteration of collected information.
o   Data Integrity - Data must be relevant and reliable for the purpose it was collected for.
o   Access – Reasonable access to the stored information is to be provided, both to the EU subsidiary and to the individual. The means of such access aren’t specified (paper vs. Self-Service, for instance).
o   Enforcement – Commitment to cooperate with authorities to ensure investigation and resolution of complaints.
For more information on the 7 principles and on how Safe Harbor applies to HR, has a good FAQ
·       The Safe Harbor sign-off is the solution in case of EU to US (and back) data transfers; so in these terms it is NOT SUFFICIENT to allow global companies to consolidate data globally.
·       In the case of a multinational corporation, the geographical extension require the adoption of Binding Corporate Rules, covering the steps taken to ensure compliance with “adequate protection”. To put it simply, a BCR document is an internal, company-wide privacy policy, drafted to meet specific business needs relative to the operation of the company. Drafted by the corporation, it is subject to approval by authority; not all EU countries require such an approval, but many do. (ex. GE approach here  or BP here)

All these points remain valid whatever the chosen delivery model is. The difference is how they are applied in the multiple situations – On Premise vs. ERP, single vs. multi-tenancy. 

Please share your notes and comments on the subject, and thank you in advance for pointing out missed or incorrect details!

If you find my post interesting, you may also enjoy my recent  "The International POV on Data Privacy"