New EEA Code of Practice: Privacy at Work

FedEE’s New Code of Practice

FedEE has prepared a draft Code of Practice on Privacy at Work in Multinational Organisations. This has been prepared under provisions in the EU’s General Data Protection Regulations that allows for such Codes.  Access to the Code will be limited to FedEE members and the text will be finalised following the meeting of FedEE’s HR Data Management Forum in Nicosia on November 18th 2016. If you would like to gain access to the Code to help your organisation prepare for the GDPR and Privacy Shield then join FedEE today.

Note on Data Security

The security of personal data is not purely an IT issue, but a broader business issue in which HR is at the forefront.

Everyday we invade or expose the personal data of employees without even being aware of it and therefore without taking necessary precautions. The problem is that data protection is one of the fastest moving areas of legal development and litigation and increasingly it is becoming a field where breaches can destroy a company’s reputation. Penalties for infractions are also growing and in many instances transgressions can involve the criminal law and lead individuals to be punishable for work-related acts or instances of neglect.

The newly agreed European Union (EU) General Data Protection Regulations (GDPR) introduce a much tougher regime:

  • The right to be forgotten:  Article 17 of the regulation allows employees, former employees and contractors to order their employer to erase their personal data data in certain situations.
  • The right to data portability:  Article 18 of the regulation gives employees, former employees and contractors the right to transmit any of their personal data from one employer to another.
  • The appointment of a professional data protection officers. Most multinationals will have to comply withArticles 35 – 37 by appointing a data protection officer whose duties will be broad ranging and carry significant authority.
  • Consent:  This will be defined in a much stronger way to be “a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to personal data relating to him or her being processed” plus “explicit” consent in relation to special categories of data.
  • Leakage.  Employers will be required to notify the regulator of a breach “without undue delay” – normally within 72 hours of its discovery.
  • Penalties:  Article 79 sets out a ange of draconian fines for infringements. If a company violates data subjects’ rights they could face a fine of up to 4% of their annual global turnover .

In a further move, last Autumn the European Court of Justice threw out the US-EU Safe Harbor framework for transatlantic flows of personal data. Although the European Commission and US Department of Commerce have devised a replacement “privacy shield” it remains unclear whether this will also be declared unlawful.

Employers around the world are increasingly holding personal data in a computing cloud and multinationals have a critical need to share data with others in the same Group regarding employees, contractors, suppliers and numerous other individuals. In at least 20% of cases this requires transfer to nondemocratic or politically unstable countries which routinely monitor all telecommunications – an action which is not necessarily legitimate under many western country laws.

Misuses of Personal Data

Those in business often regard data protection – like health and safety – as a necessary, but tedious obligation that can be delegated to marginal specialists and generally disregarded. But in fact both subjects must be central to HR concerns and their neglect an indication that HR is not accepting the core areas of its accountability. Both data protection and health and safety breaches can lead to severe consequences for employees and impact substantially on a company’s bottom line. Just to assume that the worst will not happen is like buying a ticket for the titanic and not taking along a life jacket.

Areas of everyday activity which many HR practitioners will often fail to associate with data protection vulnerabilities are: personnel/ vehicle tracking, cloud computing, batch processing by third parties, express delivery, business communications via personal devices, social Media, workplace monitoring, background checks, health checks, payroll access to bank accounts, business cards (impersonation)…

What can go wrong when personal data gets into the wrong hands?

Examples of the kind of consequences that can result from failure to operate data protection safeguards are: Stalking/voyeurism/snooping, pestering through direct marketing, abduction, targeting for other malicious acts, blackmail, impersonation/identity theft, other misuses of identity, bank account theft, endangering parties in domestic disputes, unauthorized vetting. targeting by politically motivated protest groups and/or the press, tracing by loan sharks, predatory crimes on vulnerable people. Intellectual property infringements, forgery, divulgence of company secrets/espionage, denial of service attacks, insider trading, fraud, bribery…. And much more.

Therefore data security is not just an area of personal risk, but also an HR management risk.

For details about FedEE’s HR Data Management Forum please contact the Membership Secretary on +44 (0)117 975 8611

Copyright: FedEE Corporate Services Ltd 2017-2018