European Data Privacy Paula Barrett 21/07/05

Transcription

1 Data Privacy in Europe What does it mean to US businesses? Paula Barrett Partner, Eversheds LLP, UK July 2005 Introduction Why the need for the Data Privacy regulation? reflects the technological age we live in seeking to balance business needs vs individual privacy European Data Privacy Derived from the EU Data Protection Directive 95/46/EC Aim of harmonisation not achieved. Directive has been implemented differently in each jurisdiction + local laws overlap Need to look beyond the wording of the Directive and consider local laws when building compliance programme.

2 Why Care? Can apply to US Companies: Where an individuals personal information is processed by or on behalf of that US Company using equipment located in the EEA Where the US company has an office, branch or agency in the EEA or acquires a corporate entity within the EEA which is processing individuals personal information Implications of non-compliance Liability for loss (damage/distress) Fines Data may have to be destroyed, cleansed or cannot be used in evidence Complaint to Commission or local regulatory authority Bad publicity Bad employee relations Disruption to corporate transactions/company value damage

3 The Basics The Basics The Directive applies to the processing of personal data In summary personal data means: you can identify living person from it e.g.. contains their name, photo, voice; or can identify living person from it + other data in employer s possession e.g.. contains a home address, an identity number, relates to incident involving the individual Includes information being processed electronically/by computer manual records in a structured filing system

4 The Basics (cont.) Also have sensitive personal data personal data which refers to racial/ethnic origin, religious or philosophical beliefs, political opinions, trade union membership, health or sexual life And finally what s processing? Just about everything you usually do with data! includes recording it, storing it and deleting it Controller v Processor All the obligations fall on the shoulders of the data controller; but there are local law variances e.g. Republic of Ireland. Data Controller Any person which (alone or jointly with others) determines the purposes and means of processing Data Processor: Any person which processes personal data on behalf of the Data Controller

5 Controller s Duties Personal Data must be:- processed fairly and lawfully collected for specified, explicit and legitimate purpose and not processed further in an incompatible way adequate, relevant and not excessive accurate and, where necessary, kept up to date not kept for longer than necessary processed in accordance with individuals rights secured against accidental or unlawful loss, alteration or unauthorised disclosure, access or other processing. Fair and Lawful Processing Information to be given to Individual Identity of data controller/nominated representative Purpose of processing data Any further information necessary to guarantee fair processing e.g. that it will be transferred outside of EEA, who else it will be disclosed to, existence of access rights Processing must be lawful - in compliance with notification and other local laws

6 Legitimate Processing To process personal data, must satisfy one of the specified legitimate criteria (Art. 7) e.g. unambiguous consent of data subject, processing necessary for performance of contract with data subject, necessary to comply with legal obligation, legitimate interest If sensitive personal data, must also satisfy criteria in Art. 8 e.g. have explicit consent (usually in writing), necessary for performance of legal right in employment context, protecting vital interests of data subject N.B. in some countries e.g. Portugal also need approval of regulatory authority Access Rights Individual s right of access: request for access in writing entitled to know what data about them being processed, why and who might receive it usually entitled to the information (e.g. copies of it) employer to comply within 40 days of request But there are exemptions from access right, e.g. management forecasting/planning + prejudice management intentions in negotiations + prejudice legal professional privilege confidential references May refuse access where 3rd party involved: have you got 3rd party consent? is it reasonable to disclose without consent?

7 Staff Recruitment and Selection Advertising and Applications Identify to whom the information will be provided: name of employer (including any group companies) any recruitment agency Identify how the information provided will be used (unless self evident) Consider whether appropriate to use the same application form for every job Only seek relevant personal data Only request information about criminal convictions if justified in terms of role offered Secure method of sending in applications Policy for applications sent on-spec Requesting sensitive personal data

8 Interviewing Remember - notes may be seen by applicants via access requests Only record and retain personal information relevant to, and necessary for the recruitment process itself, or defending the process against challenge Provide guidance to managers on interviews interview notes are a fertile ground for discrimination cases Verification and Pre-employment vetting Inform applicants if information may be checked Obtain signed consent if requesting the release of documents from a third party Only use vetting where there is a particular or significant risk and where there is no less intrusive alternative Only carry out at an appropriate point, ie once a suitable candidate has been identified Provide full information about the process to the applicant

9 Medical questionnaires Only use to highlight potential areas of concern Only ask relevant questions - avoid using a standard Obtain explicit consent and satisfy a further sensitive personal data condition Avoid sending at an early stage of the recruitment process Do not reject a candidate on questionnaire alone: medical examination reasonable adjustment Keep secure and confidential Only retain necessary relevant information Managing Employee Records

10 Collecting and keeping employment records Information notice fact sheet data protection policy employee handbook Sensitive Personal Data Consent vs. necessary as a result of employment law Ensure Relevance Accuracy and validity checks Disciplinary records and grievance investigations Remember - right of access available Access requests frequently used to get early disclosure for employee claims Ensure good housekeeping Impact on tribunal claims fishing expeditions by both employer and employee: Do not access or use information you keep about workers merely because it might have some relevance to a disciplinary or grievance investigation, if access or use would be either: Incompatible with the purpose(s) you obtained the information for or Disproportionate to the seriousness of the matter under investigation

11 How long should you keep information? for no longer than is necessary evaluate in each case professional guidelines/ limitation periods Set an Employee Data Retention policy then apply it Secure destruction How to keep information Physical security: Locked filing cabinets IT security: Password protection Firewalls Laptops Contractual security all data processors Reliability of staff: Training (example criminal offence) Telephone enquiries Secure destruction.

12 Disclosing information to third parties Legal obligation Fairness Disclosure Policy Check identity and authority Sensitive Personal Data Inform worker but not if tip off Keep a record of requests Monitoring in the Workplace

13 Monitoring vs Privacy Form of observation Systematic Monitoring Occasional Monitoring Complex Legal Framework varies from Country to Country Data Protection legislation Labour law Human Rights Spying controls Common theme information should be provided about potential monitoring Example - UK Legal Framework Oftel guidance on intercepting phone calls The Regulation of Investigatory Powers Act 2000 The Telecommunications (Lawful Business Practices) (Interception of Communications) Regulations 2000 The Data Protection Act 1998 The Employment Practices Data Protection Code Privacy and e-communications Regulations

14 Marketing Marketing Understand what data you collect and what you do with it Common mistake to assume b2b communication not covered How do you communicate s and SMS more tightly controlled. Opt In/Opt Out are you using the correct approach to collect consent Impact of Privacy and e-commerce Directive Opt in consent for and SMS unless satisfy exceptions Check mailing and telephone contact lists against preference agency registers Check the scope of consents obtained are correct Think long term when drafting consents Sharing of databases be careful have you got consent? Buying databases get assurances but YOUR responsibility Selling databases consent is king Cleansing databases

15 Transfers to the US Transfers outside of EEA Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data

16 Transfer outside of EEA EEA? - EU and Iceland, Liechtenstein and Norway The EU Commission decides whether a country has adequate protection Currently (18/7/2005) Hungary Switzerland US companies signed up to Safe harbor Canada though not entirely (see y-faq_en.htm#1) Argentina (as of 30 June 2003) Transborder Transfer Mechanisms Does derogation apply? Data subject consents (not all countries allow e.g. France) Necessary to perform contract with data subject Necessary for conclusion or performance of contract with third party concluded in interest of employee Necessary for establishing, defending or exercising legal claims Necessary to protect vital interests of the data subject

17 Transborder Transfer Mechanisms (cont.) If exemption doesn t apply need to ensure adequacy Self Assessment of Adequacy US Safe Harbor Registration EC Model Clause Contract EC Approved Binding Intra Group Rules Pros and Cons to each of these Consider other practical steps e.g. can data be anonymised before transfer Consent Sensitive Data - must be explicit. Usually required in writing. Other Personal Data any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed Silence/no response is not consent Is employee really free to give consent?

18 Self Assessment No real guidance riskier option Risk assessment Time, expense and no guarantees If undertaken will need to take further steps keep assessing further precautions Safe Harbor US only Not all sectors covered Annual audit and certification Potential for class actions Investigation and Fines from FTC Low take up Consider applying where large amount of transfers Simplicity when dealing with third parties

19 EC Model Processor and Controller to Controller versions Simplicity of solution key advantage here but: Euro speak onerous e.g. enforceable by third parties Can t modify them New Versions released earlier this year more business friendly Binding Corporate Rules New Solution - only applicable for intra-group transfers The rules must be binding internally & externally be legally enforceable by data subjects & data protection authorities contain a duty to inform the data protection authority if a member of the corporate group may be unable to fulfil its obligations, if this will have a substantial effect Problem - Individual Approval by Commission or Member State data protection authorities. Good idea but not yet implemented

20 Other concerns Fair Processing still need to inform individual that transfer may take place and where to still need legitimate reason to carry out processing Prior approval from local regulatory body may still be required in some jurisdictions for transfer outside EEA e.g France to process sensitive data e.g. Spain Compliance and Round-Up

21 Summary and practical steps Audit basic understanding of what you do with data is vital Employee Data Employer Data Protection Policy Retention Periods & Housekeeping Review employee contracts, applications forms, handbooks Monitoring make sure covered in privacy or IT policy Consent understand when you need it and add appropriate wording Information Notices - duty to inform even if consent not needed Practical Steps Marketing check marketing consents and website policies How compliant are your databases is a cleansing programme needed? Retention/security Have you got notifications/registrations in place in each country? Transfers to US evaluate which solution/combination fits your business Training Often overlooked but an essential part of compliance Executive buy-in Benefit of compliance v non compliance

22 Questions. Thanks for listening Please contact me if you have any further queries Paula Barrett Partner, Eversheds LLP Tel: Cell: Fax: