FedEE’s New Code of Practice
FedEE has prepared a draft Code of Practice on Privacy at Work in Multinational Organisations. This has been prepared under provisions in the EU’s General Data Protection Regulations that allows for such Codes.
Note on Data Security
The security of personal data is not purely an IT issue, but a broader business issue in which HR is at the forefront.
Everyday we invade or expose the personal data of employees without even being aware of it and therefore without taking necessary precautions. The problem is that data protection is one of the fastest moving areas of legal development and litigation and increasingly it is becoming a field where breaches can destroy a company’s reputation. Penalties for infractions are also growing and in many instances transgressions can involve the criminal law and lead individuals to be punishable for work-related acts or instances of neglect.
The European Union (EU) General Data Protection Regulations (GDPR) sets down a tough regime:
- The right to be forgotten: Article 17 of the regulation allows employees, former employees and contractors to order their employer to erase their personal data data in certain situations.
- The right to data portability: Article 18 of the regulation gives employees, former employees and contractors the right to transmit any of their personal data from one employer to another.
- The appointment of a professional data protection officers. Most multinationals will have to comply withArticles 35 – 37 by appointing a data protection officer whose duties will be broad ranging and carry significant authority.
- Consent: This will be defined in a much stronger way to be “a clear affirmative action establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to personal data relating to him or her being processed” plus “explicit” consent in relation to special categories of data.
- Leakage. Employers will be required to notify the regulator of a breach “without undue delay” – normally within 72 hours of its discovery.
- Penalties: Article 79 sets out a ange of draconian fines for infringements. If a company violates data subjects’ rights they could face a fine of up to 4% of their annual global turnover .
Employers around the world are increasingly holding personal data in a computing cloud and multinationals have a critical need to share data with others in the same Group regarding employees, contractors, suppliers and numerous other individuals. In at least 20% of cases this requires transfer to nondemocratic or politically unstable countries which routinely monitor all telecommunications – an action which is not necessarily legitimate under many western country laws.
Misuses of Personal Data
Those in business often regard data protection – like health and safety – as a necessary, but tedious obligation that can be delegated to marginal specialists and generally disregarded. But in fact both subjects must be central to HR concerns and their neglect an indication that HR is not accepting the core areas of its accountability. Both data protection and health and safety breaches can lead to severe consequences for employees and impact substantially on a company’s bottom line. Just to assume that the worst will not happen is like buying a ticket for the titanic and not taking along a life jacket.
Areas of everyday activity which many HR practitioners will often fail to associate with data protection vulnerabilities are: personnel/ vehicle tracking, cloud computing, batch processing by third parties, express delivery, business communications via personal devices, social Media, workplace monitoring, background checks, health checks, payroll access to bank accounts, business cards (impersonation)…
What can go wrong when personal data gets into the wrong hands?
Examples of the kind of consequences that can result from failure to operate data protection safeguards are: Stalking/voyeurism/snooping, pestering through direct marketing, abduction, targeting for other malicious acts, blackmail, impersonation/identity theft, other misuses of identity, bank account theft, endangering parties in domestic disputes, unauthorized vetting. targeting by politically motivated protest groups and/or the press, tracing by loan sharks, predatory crimes on vulnerable people. Intellectual property infringements, forgery, divulgence of company secrets/espionage, denial of service attacks, insider trading, fraud, bribery…. And much more.
Therefore data security is not just an area of personal risk, but also an HR management risk.