A cost-effective way to protect global HR data

28 Mar A cost-effective way to protect global HR data

Editor’s note: This is the second of a two-part series

In Part I of this two-part series, I discussed the need for CIOs and other managers to understand and address the data privacy compliance issues that globally integrated human resource information systems (HRIS) create. Failing to do so could result in significant sanctions, expensive system redesigns, or orders limiting or prohibiting use in certain countries.
Part I also identified how these privacy issues arise. In this Part II, I will identify and evaluate the three ways companies can design their global HRIS systems to satisfy the myriad, and often conflicting, data privacy requirements of the many jurisdictions in which they operate.
The methods
There are three fundamental ways to approach the design of a global data privacy policy. First, you can adopt a separate policy with separate rules and procedures for each country in which you operate. This is administratively the most difficult approach, reduces or eliminates many of the cost saving advantages sought through integrated HRIS systems, and increases the risk that the wrong policies will inadvertently be applied in a particular circumstance.
Second, you can identify all the requirements of each country in which you operate, and apply the most onerous requirements everywhere. This results in very strong protection and high levels of compliance, but it also can hamstring many activities that seem natural and necessary to the typical company. It also means extending substantive rights, such as those provided to data subjects in the EU, to the more litigious and damage claim-oriented employees of the U.S., a potentially expensive and troublesome combination.
Third, you can devise a system that seeks to provide a uniform level of substantive privacy protection throughout the company, based on the core principles that underlay all the data protection systems anywhere in the world, and then establish a system for dealing with special requirements that arise in specific jurisdictions. So, for example, you might adopt a uniform global policy that requires all business units to permit each data subject to see, upon request, the PII information the company has about that individual.
Since various laws require a response to such a request in anywhere from five to 60 days, you could also adopt a procedural requirement that all such responses shall be made within five days of receipt, unless that is not possible or some law prohibits the disclosure of specific information. Such a system would eliminate most variations, provide a high and defensible level of compliance in all countries based on a single system, and still permit the company to address the “special case” properly.
Standing on principles
What are the core privacy precepts that underlay all of the existing data protection laws? They have been expressed in many ways. Sometimes they are expressed as five “fair information privacy principles,” sometimes eight or 10. But at root, they all involve the following:
• Purpose Limitation Principle: The company shall obtain personal information only for specified and lawful purposes, and shall not permit personal information to be processed in a manner incompatible with those purposes, except as expressly permitted by law or permitted by the data subject.
• Proportionality Principle: The company shall collect and use personal information that is adequate, relevant, and not excessive in relation to the purposes for which they are processed.
• Fairness Principle: The company shall process personal information fairly, lawfully, and in accordance with the rights of the data subjects.
• Quality Principle: The company shall take reasonable steps to see that the personal information upon which it relies in making decisions is accurate and, where necessary or appropriate for ongoing purposes, kept up to date.
• Security Principle: The company will establish physical, technical, and organizational measures intended to protect against unauthorized or unlawful processing of personal information, as well as accidental loss or destruction of, or damage to personal information, that are appropriate to the nature and sensitivity of the data.
• Retention Principle: The company will not keep personal information for longer than is necessary to accomplish the specified and lawful purposes for which they were collected, except as required by law or as may be required to protect a known interest of the data subject.
• Openness or Transparency Principle: The company will clearly and accurately state its data-privacy policies and practices and make those policies and procedures readily available to the data subjects.
• Access Principle: The company will make the personal information in its possession or control available to the data subjects on reasonable terms to facilitate the correction of erroneous information, supplementation of incomplete or misleading information, or deletion of unnecessary, inappropriate, or unlawfully processed information.
• Onward Transfer Principle: The company will not authorize or permit others to process personal information that the company has collected, or personal information that others have entrusted to it, unless the company has in place contractual, legal, or other mechanisms reasonably calculated to maintain the same level of protection as it would apply if the data remained in its own hands.
Adoption is only the first step
Putting these principles at the core of all your data activities will undoubtedly require a change in culture and procedure. And adopting these principles is only the first step. You must also devise and adopt procedures to implement them, train personnel, provide necessary notifications to data protection authorities and data subjects, review third party contracts, audit compliance, revise employment contracts, etc.
Nevertheless, if you recognize that these principles are at the core of all the data protection laws throughout the world, and that they should be incorporated into all your data activities, you can adopt more uniform, legally compliant, and useful systems at lower overall cost.
Other columns by Mark Foley
• Mark Foley: Developing global data privacy policies for HR data (part 1)
• Mark Foley: Expert testimony may be needed for e-discovery keyword searches
• Mark Foley: Internet law: 12 questions for board oversight of data privacy and security